CodeIgniter Forums
Session handling - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: Session handling (/thread-13864.html)

Pages: 1 2


Session handling - El Forum - 12-09-2008

[eluser]garrettheel[/eluser]
Noticing that CI stores sessions in cookies by default, I'm looking for a more secure solution to session handling. What does the CI community recommend as the best way to do this? Ideally, some sort of library which utilizes native PHP sessions and still allows me to use the database would be great.


Session handling - El Forum - 12-09-2008

[eluser]Eric Cope[/eluser]
You can encrypt them. See the user guide for that feature. You can also store the session IDs in a database.


Session handling - El Forum - 12-09-2008

[eluser]garrettheel[/eluser]
Yeah, I know you can encrypt the cookies.. but that doesn't change the fact that they're cookies. I'm not trusting anything client-side when it comes to user authentication so I need something that utilizes native PHP sessions.


Session handling - El Forum - 12-09-2008

[eluser]Eric Cope[/eluser]
Its been a while since I used PHP native sessions, but they either use GET strings (very unsecure) or cookies to store the session id?
By choosing a strong passphrase (Diceware), encryption is the best solution I am aware of... but maybe someone could correct me.


Session handling - El Forum - 12-09-2008

[eluser]garrettheel[/eluser]
PHP native sessions don't use GET strings or cookies, they are stored server-side, making them far more secure then using cookies (even with encryption - if someone knows what they're doing they can get around this).


Session handling - El Forum - 12-09-2008

[eluser]garrettheel[/eluser]
I just had a look and noticed that there is user data being stored in the database now. Does this mean this security problem has been fixed in 1.7? Is all user info being stored in the database?


Session handling - El Forum - 12-09-2008

[eluser]Eric Cope[/eluser]
quoting the php.net documentation

Quote:A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.


I don't know if CodeIgniter stores data in the database or just matches the data with a session ID in the database. If you encrypt the cookie, when it is decrypted, if the session ID does not match the database, the session is destroyed.


Session handling - El Forum - 12-09-2008

[eluser]garrettheel[/eluser]
Well I know it did store data in the users cookie but it looks like 1.7 changes it to the database.


Session handling - El Forum - 12-09-2008

[eluser]majidmx[/eluser]
First of all, in PHP's native session handling, the Session_id should be passed to server.
It's either saved in user's cookie which is mostly the default way and most of the people are not aware of it.
or it should be passed through URL.
But basically there should be a way that server can recognize the same client.
In either ways, with knowing the session_id wasn't that much hard to do some nasty stuff on PHP's native session, which had made it a little bit unsecure.

In CodeIgniter, as Eric mentioned, you can save the information in Cookie and encrypt them.
But if you're not a fan of client-side storing, you can save all the session information in Database.
Again, even in this way, session_id will be saved in user's cookie. But user's data will be saved in the Database, as you can see in the manual :
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
and by taking a look at the structure of `ci_sessions` table, you can easily find that the data is saved in the `user_data` field for corresponding `session_id` which comes from cookies.

Hope it helped.
MajiD Fatemian


Session handling - El Forum - 12-30-2008

[eluser]Nick Jennings[/eluser]
I was reading the documentation and maybe it's just not completely clear, but my interpretation was that it stores the session data *both* in the cookie /and/ in the DB. Then compares the session ID and if it doesn't match, it destroys the session.

This was still keeps the userdata both in the DB and in the cookie. No?

It's very probable my understanding is wrong (I'm new to code igniter), but if so I think it might help to clarify this in the documentation.
-Nick

[quote author="majidmx" date="1228905036"]First of all, in PHP's native session handling, the Session_id should be passed to server.
It's either saved in user's cookie which is mostly the default way and most of the people are not aware of it.
or it should be passed through URL.
But basically there should be a way that server can recognize the same client.
In either ways, with knowing the session_id wasn't that much hard to do some nasty stuff on PHP's native session, which had made it a little bit unsecure.

In CodeIgniter, as Eric mentioned, you can save the information in Cookie and encrypt them.
But if you're not a fan of client-side storing, you can save all the session information in Database.
Again, even in this way, session_id will be saved in user's cookie. But user's data will be saved in the Database, as you can see in the manual :
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
and by taking a look at the structure of `ci_sessions` table, you can easily find that the data is saved in the `user_data` field for corresponding `session_id` which comes from cookies.

Hope it helped.
MajiD Fatemian[/quote]