I have read about authentication in Lithium manual, still I have some questions about it.
After Auth::check ('default', $this->request), it will return an array of user data if succeed. I have finished this part according to the manual.
if I want to save some of this array into session (not all of them), how to do it?
Are those data in session encrypted? If not, how could I manipulate it, I want to encrypt it for security concern.
Thanks.
This should give you something to go on regarding encrypting session data - http://nitschinger.at/Session-Encryption-with-Lithium.
As far as telling Auth::check() which fields to save to the session:
Auth::config(array(
'default' => array(
'session' => array(
'persist' => array('username', 'email')
)
)
));
This is in the latest master, and there is more explanation at the top of security\Auth.php.
Related
I have a codeigniter application that I am using the Cart class to make an e-commerce store.
I am also using Codeigniter-Auth (a library) to make accounts on this system. I have noticed when I log out while testing the application, the session data for the shopping cart is also destroyed.
I noticed in the library this is how it logs the users in:
$data = array(
'id' => $row->id,
'name' => $row->name,
'email' => $row->email,
'loggedin' => TRUE
);
$this->CI->session->set_userdata($data);
And this is how it logs the user out:
return $this->CI->session->sess_destroy();
How do I tell codeigniter to only destroy the user session and not every session in the system?
Using:
$data = array(
'id' => $row->id,
'name' => $row->name,
'email' => $row->email,
'loggedin' => TRUE
);
$this->session->set_userdata($data); // instead of $this->CI->session->set_userdata($data);
You are actually setting 4 session variables! To unset a specific one, use:
$this->session->unset_userdata('loggedin');
I believe you can just use $this to refer to CodeIgniter's instance. You must also assign a "name" to your session data (variable) to be able to specifically unset it.
$this->session->set_userdata('sample_userlog',$data);
$this->session->unset_userdata('sample_userlog');
Hope this helps.
The documentation states to clear the current session use
$this->session->sess_destroy();
Note: This function should be the last one called, and even flash variables will no longer be available. If you only want some items destroyed and not all, use unset_userdata().
For example $this->CI->session->unset_userdata($data).
For a Web-Application with many Database related events I want to build a Changelog. That should log what users have done, so its a Userlog too.
The App is huge, has a complex role based user access system and there will be hundreds of different events (changes) that may occur.
This all should be Database-Driven, in PHP and needs at least a View to search the Logs.
But in short, I have totally no idea how to design that all and need some tips or inspirations, maybe what others have done.
I've done this in the past and found basically 2 approaches: Model-based and Controller-based.
Model-based within the model itself override the save and update methods (assuming an ActiveRecord pattern) to create a new entry in the ChangeLog table.
Controller-based add the ChangeLog record creation logic to each controller that you want to track.
I prefer the Controller-based approach since you have more control over what's going on and when. Also, you have full access to the user session so it's easier to add tracking for auditing purposes.
Have solved that much more easy as it appears with my first thoughts.
This should do it most times without a comment:
protected function log($comment = ''){
$user = $this->user();
ORM::factory('Changelog')->vaules(array(
'user_id' => $user->pk(),
'section_id' => $user->section->pk(),
'username' => $user->username.'#'.$user->section->name,
'time' => time(),
'uri' => $this->uri($this->request->param(), $this->request->query()),
'controller' => $this->request->controller(),
'action' => $this->request->action(),
'post' => serialize($this->request->post()),
'comment' => $comment,
))->save();
}
A simple $this->log() and all is done.
Result: http://charterix.sourceforge.net/log.jpg
I am using CakePHP for my application, where I have a User model. This User has a password, which has a regex to validate.
The regex forces the user to use a password at least 6 characters long, containing at least 1 number and special char.
The validation looks like this:
'password' => array(
'ruleName' => array(
'rule' => array('custom', '/^.*(?=.{6,})(?=.*\d)(?=.*[a-zA-Z])(?=.*[##$%^&+=]).*$/i'),
'message' => 'Password not legit',
'allowEmpty' => true
)
)
When I want to edit my password, this validation works great. But when I want to edit the user (no option to change password there), the $this->User->save() fails.
If I debug my $this->User->validationErrors, the only thing shown is:
array(
'password' => '*****'
)
The password field is not set in my post data, so the validation should not happen at all.
When I comment this block of validation code, the user can be saved.
Anyone knows what I am doing wrong?
I solved it myself already. Before saving the User object, I already did a $this->User->Read(null, $userid) for other purposes.
This resulted in remembering the values of the read (including password) in the $this->User object.
Since the save method is called on the $this->User object, the password value is trying to get saved too. But since *** isn't valid according to the regex, the save fails.
Thanks for the help anyway!
Hi friends I am just wondering what security should i keep in mind when users on my site post anything using form. I have encrypted codeigniter session and also enabled the feature to store session in database, and my example Model function is like this in below. I have enabled form validation and enabled xss and csrf globally.
I think sql injection is automatically handled by CI's active record function. Please suggest me what else do i have to check before taking this site in production. Thanks
function AddSomeMemberPost(){
$now = date('Y-m-d H:i:s', strtotime('now'));
$data = array(
'topic' => $this->input->post('title'),
'status' => 'draft',
'content' => $this->input->post('body'),
'category_id' => $this->input->post('categoryid'),
'featured' => '0',
'lang' => $this->input->post('lang'),
'pubdate' => $now,
'video' => $this->input->post('tube_video'),
'user_id' => $this->session->userdata('user_id'),
'username' => $this->session->userdata('username')
);
$this->db->insert('my_table', $data);
validation are done this way, Do i need to validate session data btw ? It is going thru model.
$this->form_validation->set_rules('topic', 'Topic', 'required|min_length[8]|max_length[90]');
$this->form_validation->set_rules('content', 'Content', 'required|min_length[8]');
$this->form_validation->set_rules('tags', 'Tag', 'required|miax_length[50]');
$this->form_validation->set_rules('video', 'Youtube Video Link', 'min_length[8]');
It is recommended that you change the PHP error reporting level, which is set in the main /index.php file.
error_reporting(0)
NOTE: You can set this in a hook instead, so you can leave the standard CI files unchanged.
In general, you should clean ALL data before putting it into any SQL (including data used in a session), even when using the built-in CI DB functions. For example, you should always cast numbers before adding them to SQL
$val = (int)$val;
(NOTE: For performance you can check if these values are even in a valid range before attempting to run a query, to save yourself from running queries you know will return nothing. For example, if you're searching for a value that is a positive integer, then you don't need to run a query if $val <= 0)
I am trying to use a third party script and extract the logged in users userid. I am aware the CodeIgniter uses some sort of encrypted sessions. Can you please suggest how to get the userid. A simple $_SESSION does not seem to work.
I am basically running a separate script and i just want the session details i.e. the userid. But I do not want to modify this script as MVC model. I want to modify it as minimal as possible.
Sorry I am very new to CodeIgniter. Thank you for your time.
Depending if you auto-load the session library or not, we will need to include:
$this->load->library('session');
Then you should be able to use:
$session_id = $this->session->userdata('SessionID');
Does this get you what you need?
Code Igniter session
If you want to set a session variable, for example:
$this->session->set_userdata('some_name', 'some_value');
or use the array. It's quite easy if you read the docs. And the docs in Code Igniter are great!
$newdata = array(
'username' => 'johndoe',
'email' => 'johndoe#some-site.com',
'logged_in' => TRUE
);
$this->session->set_userdata($newdata);