Menu
I'm just getting into learning about sessions, and for my purposes, I want to create something that upon every request from the client, the server authenticates that user, and only then performs data-handling for that user.
However, I have seen a lot of examples with CodeIgniter where the session is set up as thus:
$this->load->library('session');
$newdata = array(
'username' => 'johndoe',
'email' => '[email protected]',
'logged_in' => TRUE
);
$this->session->set_userdata($newdata);
However, couldn't someone just create a cookie on their computer with a common username and the 'logged_in' state to true, and suddenly you're authenticated without a password? This seems like a security flaw to me, but I see so many examples like this.
What is the proper way to authenticate the user on each request?
972
You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol.
What is a Session? Sessions are more secure than cookies, since they're normally protected by some kind of server-side security.
Session cookies store information about a user session after the user logs in to an application. This information is very sensitive, since an attacker can use a session cookie to impersonate the victim (see more about Session Hijacking). You can configure an OutSystems environment to have secure session cookies.
Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.
In the application/config/config.php file of your codigniter install you can choose to encrypt your cookies.
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_encrypt_cookie'] = TRUE; // set from false to TRUE
Once this is set the set_userdata() and userdata() methods will transparently handle encrypting and decrypting the session data.
A full list of codigniter session config options is at the bottom of this page:
http://codeigniter.com/user_guide/libraries/sessions.html
188
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
