tags:

views:

69

answers:

2
Q: 

Codeigniter: Storing User's role in Session

Is it safe to store the user's role in Codeigniter's session?

The role will determine what function the user will have; that is being a admin, a regular subscriber, or a premium user.

I am also storing the session in a database for additional security, but I would like to know if I should use a alternate route, such as querying the user's id and checking their role but I believe that just taking it one step further in authentication.

Please advise.

A: 

Storing the role in the session along to avoid querying for it all the time should be fine if it's mostly static.

Just consider what to do in the edge case when the user's role is edited while the session is valid (logged in or not expired). Should the session be invalidated for him so he has to re-login? Or have your application know that the role is now stale and should be refreshed from the database?

Fanis  2010-09-25 09:06:30
I am using Tank Auth in Codeigniter. I am unsure how my application would invalidated the session, but it does uses the database so as Matthew said, I should be safe which I am really hoping for.
Anraiki  2010-09-25 15:30:37
@Anraiki what I meant was: say user X is logged in and you change his role. How will the session handler know to refresh that from the database to get the changed role? Perhaps you need a way to invalidate the session for that user so he can re-login, or a way to know to fetch the new role from the database
Fanis  2010-09-25 15:58:04
@Fanis I think you're over complicating it. If they want to change roles from 'user' to 'admin', there can be a function that says something like $this->session->set_userdata('role', 'admin'). You also need to save it to the respective user row so when they login at a different time it reflects correctly.
Matthew  2010-09-25 18:04:43
@Matthew if you, as admin, are logged in to the site and change a user's role, how will you access that user's session? `$this->session` will access your session. It's really an edge case, since it will happen rarely and you can just set a user property to notify the user to re-login. I just figured I'd bring it up as food for thought. Whenever you cache things aggressively you need to have a way to invalidate the caches remotely.
Fanis  2010-09-25 20:57:46
+1  A: 

Yeah that's safe. If it's stored in the database, there's pretty much nothing a user can do to tamper with the data.

Matthew  2010-09-25 13:59:22

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases