CodeIgniter Forums
Session encrypt and about overwrite config expiration - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: Session encrypt and about overwrite config expiration (/showthread.php?tid=64000)



Session encrypt and about overwrite config expiration - Gianluigi - 01-01-2016

Hi,

I've 2 questions about session.

Config:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'on_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = APPPATH . 'sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

Considering application folder over the public root (../cgi-bin/application/), so sessions should not be available by navigation.

1. It makes sense to encrypt session values (as user_id, remember_me_token, any other)?

2. If I want use 7200 timeout for general session, there are ways to set sessions with higher expiration time, by overwriting config value using $this->session->set_userdata?

Thank you!


RE: Session encrypt and about overwrite config expiration - skunkbad - 01-01-2016

1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.

2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.


RE: Session encrypt and about overwrite config expiration - Gianluigi - 01-02-2016

(01-01-2016, 06:54 PM)skunkbad Wrote: 1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.
Seems ok, I'll encrypt too. Thank you!

(01-01-2016, 06:54 PM)skunkbad Wrote: 2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
My mistake, wrong logic yesterday. I should use cookie+db to store remember me sessions. So don't real need this one. Thanks anyway. Big Grin



Another question: I've tried with $config['sess_expiration'] = 7200;. It works fine on user browser, but in the application/sessions/ it don't delete the old session files. I should provide check to delete older file with something like:

PHP Code:
 $files glob($config['sess_save_path']."*");
 $now   time();

 foreach ($files as $file) {
   if (is_file($file)) {
     if ($now filemtime($file) >= $config['sess_expiration']) {
       unlink($file);
     }
   }
 

?


RE: Session encrypt and about overwrite config expiration - skunkbad - 01-02-2016

(01-02-2016, 03:22 AM)Gianluigi Wrote:
(01-01-2016, 06:54 PM)skunkbad Wrote: 1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.
Seems ok, I'll encrypt too. Thank you!

(01-01-2016, 06:54 PM)skunkbad Wrote: 2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
My mistake, wrong logic yesterday. I should use cookie+db to store remember me sessions. So don't real need this one. Thanks anyway. Big Grin



Another question: I've tried with $config['sess_expiration'] = 7200;. It works fine on user browser, but in the application/sessions/ it don't delete the old session files. I should provide check to delete older file with something like:

PHP Code:
 $files glob($config['sess_save_path']."*");
 $now   time();

 foreach ($files as $file) {
   if (is_file($file)) {
     if ($now filemtime($file) >= $config['sess_expiration']) {
       unlink($file);
     }
   }
 

?

Old sessions are cleaned up with garbage collection, which CI does automatically at random intervals.