+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=22)
+--- Thread: CodeIgniter Sessions are not real Sessions (/showthread.php?tid=25062)
CodeIgniter Sessions are not real Sessions - El Forum - 11-30-2009
[eluser]n0-0ne[/eluser]
I've been programing PHP applications for a long time now but new to CodeIgniter (just reading the manual for the first time now to see it's capabilities).
and I was quite pazzled to see that the Session library save all the session data in a cookie.
this is bad practice, since session data should never leave the server and only the session identifier should be saved in a cookie.
I saw there is an option to secure the data using the database but many users will probably wont be aware for the dangers of using this feature without database validation.
this library should be split into a Cookie library (since without DB all it does is to offer advance cookie capabilities ) and a Session library forcing users to enable DB support for it.
a better solution (tho more time costly) would be to integrate the session library to work with php built in session handler function, improving them for better flexibility and security. thus eliminating the need for database use leaving it as an option to harden security on shared servers.
CodeIgniter Sessions are not real Sessions - El Forum - 11-30-2009
[eluser]esra[/eluser]
Check the wiki for the db_session library. There is also a db2_session library, but I have never used it. You can also use the native session library that saves session data to a file.
CodeIgniter Sessions are not real Sessions - El Forum - 11-30-2009
[eluser]Colin Williams[/eluser]
http://derekallard.com/blog/post/codeigniter-session-changes-when-using-a-database/
CodeIgniter Sessions are not real Sessions - El Forum - 11-30-2009
[eluser]n0-0ne[/eluser]
Yea I saw it in the code, but sessions should still be secure even if your not using a database.
this should be fairly trivial to set, using php built in session handlers.
I'll see if I can find the time to implement this.
CodeIgniter Sessions are not real Sessions - El Forum - 11-30-2009
[eluser]Colin Williams[/eluser]
Before you flex your coding muscles, peruse the Wiki. There are several libraries that provide native session handling (well, claim to).
CodeIgniter Sessions are not real Sessions - El Forum - 12-01-2009
[eluser]sudirman123[/eluser]
[quote author="Colin Williams" date="1259633191"]Before you flex your coding muscles, peruse the Wiki. There are several libraries that provide native session handling (well, claim to).[/quote]
Do you mean Page http://codeigniter.com/wiki/Category:Libraries::Session/ ?
I am also curious about Session handling in CI.
CodeIgniter Sessions are not real Sessions - El Forum - 12-01-2009
[eluser]BrianDHall[/eluser]
I highly recommend OB Session. http://codeigniter.com/wiki/OB_Session/
Extremely simple 1 file to over-ride CI session, makes sessions work like they should - store only session ID in the cookie if you use a database.
If you don't like storing in the database then I think Native Sessions is more your style.
CodeIgniter Sessions are not real Sessions - El Forum - 12-01-2009
[eluser]sudirman123[/eluser]
[quote author="BrianDHall" date="1259707736"]I highly recommend OB Session.[/quote]
Thanks for your respon.
I used EckoSession (and posted reply in http://ellislab.com/forums/viewthread/122237/).