I created an auth user system for CodeIgniter (I know that there are various third-party libraries, but this is for me personally), but I'm worried that I am missing something obvious, which can lead to a reduction in everything.
I use CI sessions (through the database) and encrypt cookie values for a bit of possibly meaningless obfuscation. Logins pass through SSL (and cookies are changed only for security). I also use phpass for hash passwords for storage, although this is not relevant. There may be a weak link in this part, but my main problem is that page checks for the page mainly consist of a type approach if is_logged_in = trueand their username in the session. This bit touches me because it seems too "light." Is this approach highly vulnerable? Should I compute a phased hash of, say, a user agent or something else, and make sure they match?
Any pointers would be most appreciated. As I said, I know about pre-existing solutions, but I'm trying to learn a few lessons here :)
Toast source
share