login and sessions using CodeIgniter

I think your approach is going into a slightly wrong direction but it is not wrong at all.You should seperate it a bit more.

What a session actually does, is storing data that is needed over a multiple amount of requests.

The table for sessions you have in CodeIgniter has nothing to do with user information. It is only responsible for storing session related data (session_id etc.). Once you've set up the table you can use CodeIgniter Sessions as you're used to it. It will handle the session management process for you.

So let's go trough the process of a login.

First you need a table where you store user information. The most minimalistic implementation of that table would be:

users(user_id, username, password)

The only information I store in a session is the users id. So whenever a user enters your page you should check whether there is a sessionfield with your users id.

if($this->session->userdata('user_id')){  //User is logged in}else{  //User is not logged in}

If the user is not logged in you need to show your login form. After the user has sent the form you need to validate the input and check if the login attempt is successful. Your model method could look like this

public function attemptLogin($username, $password){  $query = $this->db->get_where('users', array(    'username' => $username,    'password' => $this->mysecurityclass->superDuperHashMethod($password)  ));  if($query->num_rows() == 0)    return false;  return $query->row()->user_id;}

What we are doing here is to check whether there is a dataset matching the user input. As you asked I provided a simple example how hashing could be done. Of course you need to implement the hashing functionality by yourself or use any ready to use classes. It's up to you. Maybe you should even encapsulate it more and already pass the hashed password to the method.

The method will return the user ID if the credentials entered matched a dataset in your users table. We know that the user is successfully logged in then. Once you got the users ID store it in your session.

$userid = $this->user_model->attemptLogin($username, $pass);if(!$userid){  //GTFO, login was not successfull}else{  $this->session->set_userdata('user_id', $userid);  redirect('home');}

So when the login was successful you set the session key and redirect the user. Now the process is beginning again. But now we have a session set and our initial check if we have the session field set will pass. Our user is logged in.

To log the user out you will just have to simply destroy the session as you already mentioned. Since the session key user_id will not be set anymore after that our initial check is going to return false and the user will be prompted to the login form again.

As you see. You will not have to care about how sessions are handled internally. Feel free to ask if something is unclear.

note: The code examples are only for illustration purposes. You need to think about implementation by yourself :)

Happy coding!

Please see my comments as blow:

1.Check if a session exists for the user (Is this necessary?)

Comments: Yes this is necessary as it tell that particular user is logged in or not, and can do some activity based on that. Like redirect to home page if logged in or login/registeration page if not

2.Check the session database for a username (this would be a custom entry in the session db) if it doesn't exist, then show the login form. (and after logging in save the username to the session db)

Comments: see above comments.

3.If a username exists in the session db, check last_activity. If it's older than desired (or if the session is expired) then show the login form. If it isn't too old, then log them in.

Comments: you can amend this functionality as per your requirement.

4.To log out, you would just have to remove the username from the session db. (Or should I use: $this->session->sess_destroy()).

Comments: you need to remove it from db.

By default CodeIgniter stores the session data in a cookie, which has an upper limit of 2KB-4KB in size depending on browser.If you are trying to store more than 4KB of data in the session you will start running into issues.

You can get more information here :Detail blog :http://goo.gl/YPllj0

Its up to you and on your requirement, that you want to store user information in database or not.

1. It is necessary, when a user is logged-in and suddenly or supposehe close the browser, then he should be logged-in, by default.
2. Yes, when you have no session-id for a user then you can show him login-form.Also the session-id entry should be deleted after logout.
3. You can delete all old entries, and show the login-form.
4. After logout you should clear the session as well as remove the database entry. One thing that codeigniter has stored session in cookies Read session, so check that the cookies also cleared. For this you can use Codeigniter native session library from here