CodeIgniter Forums
Best secure session configuration ? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: Best secure session configuration ? (/showthread.php?tid=64334)



Best secure session configuration ? - remiheens - 02-09-2016

Hi,

I'm developing a website with lot of users(500K) and lots of daily sessions.
I recently upgrade CI to version 3, so I've seen session management change to files driver (as default) and write session on server.
I've a memcache cluster available so I check if it's possible to move session to memcache and which session driver is the best.

My principal question is :
What is the best and secure configuration for sessions with CI3 ?
  • which driver ?
  • which session expiration timing ?
  • which time to update ?



RE: Best secure session configuration ? - remiheens - 02-18-2016

nobody wants to share his experience?


RE: Best secure session configuration ? - skunkbad - 02-18-2016

I don't think that the selected driver would make your session more or less secure. It's far more likely that your server configuration, your application, or implementation of authentication would cause security vulnerabilities. That said, you'll notice that CodeIgniter no longer has an option to encrypt the session, so I like to do that in my application. Even still, I would never put sensitive data in the session, but it's nice to know that prying eyes can't know the contents of the session.