Storing Session Data Securely With Codeigniter?

Question

For all of my projects I use codeigniter as my framework. I always use sessions in order to get store things like user_string and user_permissions to determine who can access certain functions and pages within the site.

Is it bad practise to use the session->userdata as a basis to provide a user unique content?

I usually set a user an array of userdata when they login, like so:

$data = array('id' => $user_string, 
              'g' => $user_group);

$this->session->set_userdata($data);

When I'm determining what results they get for a query I might do the following:

function get_posts(){
    if( $this->session->userdata('g') == 2 ){
        $data = $this->db->get_where('posts', array('' => $this->session->userdata('id') ) )->result_array();
        return $data;
    }
}

Is this code vulnerable because of the session->userdata('id') and session->userdata('g') ?

Any comment is greatly appreciated.

Answer 1

just do one think:-
save your key to your application/config/config.php, open the file and set

$config['encryption_key'] = "YOUR KEY";

$this->load->library('encrypt');

data = array('id' => $this->encrypt->encode($user_string), 
              'g' => $this->encrypt->encode($user_group),

);

$this->session->set_userdata($data);

when get data:-

function get_posts(){
    if( $this->session->userdata('g') == 2 ){
          $id =$this->encrypt->decode($this->session->userdata('id') );
        $data = $this->db->get_where('posts', array('' =>  $id ) )->result_array();
        return $data;
    }
}