I'm new in PHP and Codeigniter, by the way how to update database table when session in CI is expired and where I can put the code? I use uniqid in database, it's called token. here is my login tableusername, password, level, token, last_login, exp_time. and I want to change value token=null when session in Codeigniter is expired.
I think you're approaching this the wrong way. Sessions can expire passively, so your user DB would not be up to date.
You could use Codeigniter's option to store session data in your MySQL database and check against those entries.
Related
I'm building a Laravel 9 app that relies a lot on saved data for the user. Currently, I'm using Sessions only to retrieve this data from the user later on (anywhere from 1-600 minutes after the first visit).
Would it be wiser to use Session AND Cookies together, or would it be obsolete? I'm guessing if we lose the session data somehow, then we would use the cookie data as well? Obviously, first looking at the Session data, if it doesn't exist, then check the Cookie data.
Are there any other viable mechanisms to save user data and retrieve it at a slightly later time?
You can update 'lifetime' in config/session.php.
Have a look at this:
https://stackoverflow.com/a/26231287/9882603
I am using DB table to store session. Whenever I access any page in website, expire value in session table is getting updated.
I store a value in the session using the following api:
Yii::$app->session->set("key", $value);
After I use this command, session expire is not updating in database.
Another problem is that the stored value in session is only accessible during the same request.
Next request that value is not there in the session.
I google'd and tried all my luck but not able to figure why this is happening.
Thanks in advance
I'm attempting to share session data between my PHP site and an ASP site and as I have access to the ASP site's MSSQL database and some of the ASP session data appears to be in a database table I was hoping I could grab the session id from the session cookie and go from there.
I don't know a lot about ASP but from what I've read it takes the session id, encrypts it and produces a session cookie name / value. Does anyone know how I can decrypt that cookie and get the session id back?
Or is there a better way of doing this baring in mind although I have database access I'm not really able to make code changes.
You can access the sessionID via the Session object
<%
Response.Write(Session.SessionID)
%>
Note though that the session ID is only valid for a user's current session and is not persistent. i.e. if there's no activity for 20min a new session is created for the user if they return. I'd use regular cookies myself and pass a hash around.
How can I increase the security of my sessions?
$this->session->userdata('userid')
I've been throwing this little bad boy around for my ajax calls. Some cases I haven't. Then I was like, is this really secure using id from the DOM? what if the DOM is changed to hack user accounts data? So then I was like I guess anytime a user is doing something relating to their id, only sessions should be referenced. Am I right?
Referenced like so:
$this->some_model->do_data_stuff($dataId, $this->session->userdata('userid'));
Then I read this:
While the session data array stored in the user's cookie contains a
Session ID, unless you store session data in a database there is no
way to validate it. For some applications that require little or no
security, session ID validation may not be needed, but if your
application requires security, validation is mandatory. Otherwise, an
old session could be restored by a user modifying their cookies.
http://codeigniter.com/user_guide/libraries/sessions.html
I'm not going to be storing financial data but I don't want any data on my site corrupted ever. Does SO use session validation? How much overhead will this validation cost? How would a session be hacked? What are some things to look out for with session security?
Using CodeIgniter sessions with database is going to be fairly secure. You just don't have to trust the input that the user gives. Even if you are using AJAX, the CodeIgniter session will work just like any standard call, so the same security goes on.
What happens with the CodeIgniter session is that the server stores the cookie, and every time the user does an action that would change the content of the cookie, it is first compared to the previous cookie.
If the user changes the content of the session cookie in the browser, CodeIgniter will notice on the next server call, and create a new session for the user, basically logging him out.
CodeIgniter doesn't really need the data stored in the cookie in the user's browser, and as long as you're using
$this->session->userdata('userid');
you're going to get trusted server-side data. The user can't change that. Furthermore, the cookie can be encrypted, and you should have it encrypted. Just look in config.php of CodeIgniter.
There are several other protections around the session data: the short refresh timeout (usually 300 seconds), it checks if the IP changed, and if the browser changed. In other words, in the worst case scenario, the only way to spoof the session data is by having the same version of the browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and getting this done within 5 minutes.
So, watch out for the guy sitting beside you!
I have a Symfony application which use a mysql database to store session data, and uses the SfGuard plugin to manage the authentication.
Despite that symfony allways save the authentication info in a cookie. Is there anyway i can disable cookies and store the authentication info in the database or in memory?
I might need in the future, to have a kind of single sign on feature, where the authentication state will persist between multiple applications, in different domains. Thats why I mostly want to eliminate the need to use cookies.
Thank you for your help.
You do not seem to understand how sessions work.
That cookie that gets sent to the cient is called the session id, and it's unique to the visitor. When he reqests a page from the server that cookie identifies the row in your session table where his data are - no data besides the ID is ever sent to the client.
Without that ID there's no way to pair a request to session data, that's why you could not log in anymore after disabling the cookies. The alternative to the cookie is to pass the session id some other way, like in the url - php can do that automatically, you just need to enable use_trans_sid in the php.ini.
Yes, you can store the authentication info in the database : See here how.