Destroy a specific session in codeigniter - php

I have a codeigniter application that I am using the Cart class to make an e-commerce store.
I am also using Codeigniter-Auth (a library) to make accounts on this system. I have noticed when I log out while testing the application, the session data for the shopping cart is also destroyed.
I noticed in the library this is how it logs the users in:
$data = array(
'id' => $row->id,
'name' => $row->name,
'email' => $row->email,
'loggedin' => TRUE
);
$this->CI->session->set_userdata($data);
And this is how it logs the user out:
return $this->CI->session->sess_destroy();
How do I tell codeigniter to only destroy the user session and not every session in the system?

Using:
$data = array(
'id' => $row->id,
'name' => $row->name,
'email' => $row->email,
'loggedin' => TRUE
);
$this->session->set_userdata($data); // instead of $this->CI->session->set_userdata($data);
You are actually setting 4 session variables! To unset a specific one, use:
$this->session->unset_userdata('loggedin');

I believe you can just use $this to refer to CodeIgniter's instance. You must also assign a "name" to your session data (variable) to be able to specifically unset it.
$this->session->set_userdata('sample_userlog',$data);
$this->session->unset_userdata('sample_userlog');
Hope this helps.

The documentation states to clear the current session use
$this->session->sess_destroy();
Note: This function should be the last one called, and even flash variables will no longer be available. If you only want some items destroyed and not all, use unset_userdata().
For example $this->CI->session->unset_userdata($data).

Related

Was my codeigniter Update successful or not?

I am using the Active Record in Code Igniter and I have the following code in my controller for my profile:
$data = array(
'first_name' => $_POST['first_name'],
'last_name' => $_POST['last_name'],
'email_address' => $_POST['email_address'],
'gravatar_email' => $_POST['gravatar_email']
);
$this->db->where('user_id', $session_data['id']);
$this->db->update('user_profiles', $data);
redirect('profile', 'refresh');
How do I do the redirect only if the update was successful or not? Also I would like to display a message to my user.
First of all, you shouldn't be accessing $_POST directly, there are helpers for that ($this->input->post('name') since they sanitize the data when used properly).
Secondly, you use something like $this->db->affected_rows(); to determine how many rows were changed and then judge what happened.
In your update, you might update 1 element, or x, you need to test for that before doing a redirect.
Hope that helps, when all else fails, read the CI guide, it is very well written.
Reference:
Query Helpers
Input Class / POST / GET etc;

How to make a Changelog?

For a Web-Application with many Database related events I want to build a Changelog. That should log what users have done, so its a Userlog too.
The App is huge, has a complex role based user access system and there will be hundreds of different events (changes) that may occur.
This all should be Database-Driven, in PHP and needs at least a View to search the Logs.
But in short, I have totally no idea how to design that all and need some tips or inspirations, maybe what others have done.
I've done this in the past and found basically 2 approaches: Model-based and Controller-based.
Model-based within the model itself override the save and update methods (assuming an ActiveRecord pattern) to create a new entry in the ChangeLog table.
Controller-based add the ChangeLog record creation logic to each controller that you want to track.
I prefer the Controller-based approach since you have more control over what's going on and when. Also, you have full access to the user session so it's easier to add tracking for auditing purposes.
Have solved that much more easy as it appears with my first thoughts.
This should do it most times without a comment:
protected function log($comment = ''){
$user = $this->user();
ORM::factory('Changelog')->vaules(array(
'user_id' => $user->pk(),
'section_id' => $user->section->pk(),
'username' => $user->username.'#'.$user->section->name,
'time' => time(),
'uri' => $this->uri($this->request->param(), $this->request->query()),
'controller' => $this->request->controller(),
'action' => $this->request->action(),
'post' => serialize($this->request->post()),
'comment' => $comment,
))->save();
}
A simple $this->log() and all is done.
Result: http://charterix.sourceforge.net/log.jpg

PHP Lithium - Authentication how to access session data

I have read about authentication in Lithium manual, still I have some questions about it.
After Auth::check ('default', $this->request), it will return an array of user data if succeed. I have finished this part according to the manual.
if I want to save some of this array into session (not all of them), how to do it?
Are those data in session encrypted? If not, how could I manipulate it, I want to encrypt it for security concern.
Thanks.
This should give you something to go on regarding encrypting session data - http://nitschinger.at/Session-Encryption-with-Lithium.
As far as telling Auth::check() which fields to save to the session:
Auth::config(array(
'default' => array(
'session' => array(
'persist' => array('username', 'email')
)
)
));
This is in the latest master, and there is more explanation at the top of security\Auth.php.

Member based sites security issue in codeigniter

Hi friends I am just wondering what security should i keep in mind when users on my site post anything using form. I have encrypted codeigniter session and also enabled the feature to store session in database, and my example Model function is like this in below. I have enabled form validation and enabled xss and csrf globally.
I think sql injection is automatically handled by CI's active record function. Please suggest me what else do i have to check before taking this site in production. Thanks
function AddSomeMemberPost(){
$now = date('Y-m-d H:i:s', strtotime('now'));
$data = array(
'topic' => $this->input->post('title'),
'status' => 'draft',
'content' => $this->input->post('body'),
'category_id' => $this->input->post('categoryid'),
'featured' => '0',
'lang' => $this->input->post('lang'),
'pubdate' => $now,
'video' => $this->input->post('tube_video'),
'user_id' => $this->session->userdata('user_id'),
'username' => $this->session->userdata('username')
);
$this->db->insert('my_table', $data);
validation are done this way, Do i need to validate session data btw ? It is going thru model.
$this->form_validation->set_rules('topic', 'Topic', 'required|min_length[8]|max_length[90]');
$this->form_validation->set_rules('content', 'Content', 'required|min_length[8]');
$this->form_validation->set_rules('tags', 'Tag', 'required|miax_length[50]');
$this->form_validation->set_rules('video', 'Youtube Video Link', 'min_length[8]');
It is recommended that you change the PHP error reporting level, which is set in the main /index.php file.
error_reporting(0)
NOTE: You can set this in a hook instead, so you can leave the standard CI files unchanged.
In general, you should clean ALL data before putting it into any SQL (including data used in a session), even when using the built-in CI DB functions. For example, you should always cast numbers before adding them to SQL
$val = (int)$val;
(NOTE: For performance you can check if these values are even in a valid range before attempting to run a query, to save yourself from running queries you know will return nothing. For example, if you're searching for a value that is a positive integer, then you don't need to run a query if $val <= 0)

CodeIgniter Session

I am trying to use a third party script and extract the logged in users userid. I am aware the CodeIgniter uses some sort of encrypted sessions. Can you please suggest how to get the userid. A simple $_SESSION does not seem to work.
I am basically running a separate script and i just want the session details i.e. the userid. But I do not want to modify this script as MVC model. I want to modify it as minimal as possible.
Sorry I am very new to CodeIgniter. Thank you for your time.
Depending if you auto-load the session library or not, we will need to include:
$this->load->library('session');
Then you should be able to use:
$session_id = $this->session->userdata('SessionID');
Does this get you what you need?
Code Igniter session
If you want to set a session variable, for example:
$this->session->set_userdata('some_name', 'some_value');
or use the array. It's quite easy if you read the docs. And the docs in Code Igniter are great!
$newdata = array(
'username' => 'johndoe',
'email' => 'johndoe#some-site.com',
'logged_in' => TRUE
);
$this->session->set_userdata($newdata);

Categories