CodeIgniter auth security model
Everything you mentioned is good. I'm not familiar with phpass however. Make sure that when you hash the passwords, that you are using a salt.
An if_logged_in = true
check is sufficient because session data is stored server-side. The reason for checking things such as user-agent is to help protect against session hijacking, where one person obtains another person's session ID.
P.S: I am no security expert so I prefer using system that are inspected by security-experts: openid, facebook connect, twitter(oauth), google signin, etc
But here is my Checklist(I can think off):
- use SSL to make sure nobody can read your password when sent over the wire.
- you should sanitize all your input($_POST, $_GET, $_SERVER, etc). If is not a local variable you should be careful. So for example you should sanitize
$_SESSION['is_logged_in']
using this filter =>$var = filter_var($_SESSION['is_logged_in'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
AGAIN You should do that for all input coming from the server, because they aren't safe. The best approach is to use whitelist instead of blacklist. Because there is a chance you will miss something. - Use PDO to minimize risk of sql-injection.
- Don't store your passwords in your database in plain text, but hash them. Still risky business I guess. Because recently gawker/lifehacker has been comprimised(wondering how it could happen?). I guess your phpass is pretty solid because owasp also recommends it.
- Be aware off for XSS attacks. Is already done because of sanitizing input
- Take measures against CSRF. This can also be very dangerous if for example you can modify e-mail adress when user is logged in. Next step is to sent an e-mail to reset your password and your system is comprimised.
I am not familiar with phpass but check to see if it uses MD5 because if it does then it's not good enough. Use bycrypt http://www.memonic.com/user/pneff/id/1qHCT