I’m trying to roll my own authentication system in codeigniter, and have stumbled onto a couple of roadblocks.
If I have the sessions set to use a database, is userdata stored in the database alone or in the cookie as well? I’d like to store the hashed password in it to verify each page load that a user is actually logged in with the correct pass, and I do not want the hash to be accessible clientside at all.
How can I prevent sessions from being stolen? I’ve enabled IP and hostname verification, is that stuff automatic or do I have to perform the checks myself? Will that be enough to stop people from stealing session data?
Userdatacan be stored in the Session. If you have sessions setup to use a database, the only cookie will be a ci_session cookie or whatever you specify, and the cookie + ip/hostname will be matched to the database sessions table.Storing the hashed password in-session will be completely safe, its in your own database. No problems.
Preventing sessions to be stolen should use a
iporhostnamematch (either every page load or a little less often, some people have dynamic IPs), not sure about automatic verification, but it’s always nice if you check by yourself.Preventing session data stealing is pretty much like that. Unless someone intercepts your cookie, and magically reports a false IP (or, well, shares an IP/hostname with the target), it’s enough. You could also do another check, match the
user_agent. That you’ll have to do manually.That’s pretty much everything.