Notice that the session
class automatically stores information about the IP address and user agent of the user making a page request. You can use these to give additional security.
There are two settings you can change in your config
file for additional security:
sess_match_ip: If you set this to
true
, CI will attempt to match the user's IP address when it reads the session data. This is to prevent users from 'hijacking' a log-in. However, some servers (both ISPs and large corporate servers) may issue requests by the same end user over different IP addresses. If you set this value totrue
, you may exclude them unintentionally.
sess_match_useragent: If you set this to
true
, CI will try to match the User Agent when reading the session data. This means that someone who tried to hijack a session would have to ensure that the 'user agent' setting returned by his or her system matched that of the genuine user. It makes hijacking a little more difficult.
CI also has a user_agent
class, which...