security - Codeigniter and Multiple Concurrent Logins -


i come security background infosec consultant , tested webapps vulnerabilities. i've started working webdev , i'm busy first project, written codeigniter.

i'm trying solve problem of multiple concurrent logins, user can have 2 (or more) concurrent sessions both valid , active. have idea how i'm not experienced ci want know if there's better or more "official" way. involves making changes db's ci_sessions table, not sure how ci handle it.

at moment i'm using db session data, plan add additional coloum ci_sessions table, 1 stores email address of user (post authentication). in other words null until user logs in, @ point email address of user stored in it.

the plan confirm validity of credentials provided during login , if they're correct search sessions table other sessions corresponding same email address , delete those. once other sessions user have removed email , session data indicating valid authenticated session set.

is best way this?

edit: of course, won't work when ci creates new session id current session, instead of updating, ci won't set email address new session. i'd have make modifications source...

i looking through source code sessions.php , found line @ end of sess_update(), called if db sessions in use:

$this->ci->db->query($this->ci->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));

in other words current session_id updated new session_id, instead of inserting new entry, leaving other information (except last_activity) intact. decided try original plan, added user_id column table (instead of email) defaults null. on login check credentials , return (amongst others) user_id of email address specified. delete sessions have specific id in user_id column , update line associated current session_id contain user_id of user.

i have tested logging in chrome , safari , chrome session killed. still need more testing ensure there no loopholes looks solves problem.

many suggestions. samutz, i'm sure method have worked, found mine had less overhead.


Comments

Post a Comment

Popular posts from this blog

Why does Ruby on Rails generate add a blank line to the end of a file? -

running rails generate controller foo home results in: class foocontroller < application controller def home end end (there's nothing on line in actual file, blank line) is there purpose blank line? it's common use newline indicate end of line, last line. many editors (like vi, use) add in newline silently. consensus text files (especially in unix world) should end in newline, , there have been problems historically if wasn't present. why should text files end newline? the tool used count lines in file "wc" counts newlines in file, without trailing newline show 3 instead of 4. it improves readability of templates used in generator. consider: https://github.com/rails/rails/blob/master/railties/lib/rails/generators/rails/controller/templates/controller.rb to remove trailing newline, template have last line of: end<% end -%> instead of: end <% end -%> that seems less readable me. the discussion below refers ...
Read more

keyboard - Smiles and long press feature in Android -

i've created android keyboard. how add features inserting smilies, , using long keypresses display symbols? to create long-press behavior allows select several options pop-up menu, follow guide (specifically pop-up menu section): http://developer.android.com/guide/topics/ui/menus.html smileys (also known emoticons) combination of keys, understood programs , parsed same way. have do, when clicks smiley face on keyboard, simulate pressing of key combination matching emoticon. example, when clicks smiley, should simulate key presses ':' , ')' :). here's list of emoticons: http://en.wikipedia.org/wiki/list_of_emoticons
Read more

node.js - Bad Request - node js ajax post -

i'm using express 3.0 , node v0.11.0. have button submits form , i'm using ajax post data json object node server. client code is: $('#contact').submit(function(e) { console.log('submit called'); var formdata = json.stringify($('form').serializeobject()); console.log(formdata); $.ajax({ url: "http://localhost:3000/savedata/", type: "post", datatype: 'json', data: {objectdata: formdata}, contenttype: "application/json", complete: function() { console.log('process complete'); }, success: function(data) { console.log('process sucess'); }, error: function() { console.log('process error'); }, }); return false; }); then on server: var express = require('express'); var app = express(); app.set('views', __dirname + '/views'); app.set('view engine', 'jade'); app.use(express.bodyparser());...
Read more