Reputation: 86
Securely store the "logged in" status of a user
I am using PHP and Codeigniter to do this. Currently I am just saving a cookie to the user with their username and a $logged_in variable set to true. Then when they try to access a page, I check for the status of their $logged_in, and if they are, they're free to access.
It occurs to me that this may not be the safest way to go about this. Is there a better tactic I should be using?
Upvotes: 0
Views: 225
Answers (2)
Reputation: 1205
CodeIgniter offers a nice solution to this problem - You can use Database Sessions.
With Database Sessions, all the data you put in a session is stored within your SQL database. The user gets a cookie with a unique session ID that changes on a regular basis. The session ID along with IP and User Agent is used to match up the user with their session data, thus making it impossible for users to tamper with their own session data, and very hard for them to hijack someone else's session.
You can read more about CodeIgniter Database Sessions in the CodeIgniter User Guide.
Upvotes: 0
Reputation: 76240
It's not safe at all. Cookie is considered user input and it can't be trusted in any case.
Use sessions instead. Also you could use some sort of custom login encrypted code (I'd personally suggest SHA1) that is matched against the login code in the database and is refreshed every, let's say, 5 minutes.
Upvotes: 3
Related Questions
- Codeigniter - How to avoid multiple login of an user storing his session in database
- Codeigniter - check if user is logged and exists (it's a real user)
- CodeIgnigter - How to store and access user login session
- Codeigniter: store user login and logouts times
- Best way to keep track of logged in user information
- Codeigniter - storing database results in session
- checking if a users logged in
- PHP: Storing the logged in user
- Codeigniter find whether user logged in or not
- How to verify if user is logged in?