How to deal with login authentication and sessions

Using codeigniter to develop my latest project. W开发者_Go百科ith that said, what's the "best" way to deal with login sessions? Right now, I check the username/password against the DB. if it's a match, I set various session variables, one of them being the username. Throughout my site, I check to see if the user is logged in. I also read various blogs where people actually check the session against the php session ID of some sort.

So I guess my question is, what are some ways of making the site secure? Obviously I wouldn't keep anything in a cookie, the session would be kept in a DB table of some sort.

You are definitely on the right track there.

• Authenticate credentials against the database
• Store authentication state in the session data
• Check if user is authenticated on each access to a page that requires authentication

To make your login process secure:

• Don't store passwords in the db in plaintext, store their hashes (sha1() with a salt works well)
• Sanitize any and all input that comes from the user (this includes login form data)
• Don't store any data you don't want tampered with in cookies

I haven't personally used CodeIgniter, but I'm pretty sure a mature framework like that would have classes that deal with the problem built in by default.

Here is a quick tutorial for authentication in CI link

CodeIgniter do not use native PHP sessions. It generates its own session data. You need to load the library 'session ' by calling $this->load->library('session');.

What I do is to encrypt the password when the user is registering by using the Encryption class. This is done by calling $this->load->library('encrypt'); and then $this->encrypt->encode("user_password").You need to specify an encryption key by writing this in your config.php file: $config['encryption_key'] = "YOUR KEY";.

Then, to verify credentials, I get the encrypted password from the DB and call $this->encrypt->decode("user_password") and check if it matches with the password that the user wrote.

After verifying credentials, I save the info I want to store from the user in CodeIgniter's session. This is done by setting an array with the parameters desired and then calling $this->session->set_userdata($newdata);.

Example (copied from http://codeigniter.com/user_guide/libraries/sessions.html):

$newdata = array(
               'username'  => 'johndoe',
               'email'     => 'johndoe@some-site.com',
               'logged_in' => TRUE
           );

$this->session->set_userdata($newdata);

Then, to check if the user is logged in, you just have to test in every method if the user is logged in by calling something like this: $this->session->userdata('logged_in');

To log out an user, just destroy the session: $this->session->sess_destroy();.

In my experience there's a few stuff that the framework does for you:

1. It destroys the session after certain amount of time of inactivity.
2. CodeIgniter cleans the input data from forms. For example, if you try to enter "(" or "'" or any other characters that could break or create undesired SQL statements, CodeIgniter escapes them from you.
3. It rocks. It's very flexible and complete.
4. The user guide is your friend. It basically contains everything you need to know and gives you examples of how to do it.

No matter what you save to a session its pretty secure since its only saved on your (hopefully not shared-) hostserver. if you would like to use a cookie, please store only a token that links to the user data over the database. i'm also pretty sure that ci has a basic auth module, if not its not to late to switch to kohana for a good auth module and ORM goodness.