[eluser]Adam Griffiths[/eluser]
Does the session data get saved to only the database, or the database and the cookie?
Quote:While the session data array stored in the user's cookie contains a Session ID, unless you store session data in a database there is no way to validate it. For some applications that require little or no security, session ID validation may not be needed, but if your application requires security, validation is mandatory.
When session data is available in a database, every time a valid session is found in the user's cookie, a database query is performed to match it. If the session ID does not match, the session is destroyed. Session IDs can never be updated, they can only be generated when a new session is created.
This is direct from the user guide, looks like the database acts as a mirror of the cookie data, and validates it when it finds a valid cookie.
Two points to make. There still won't be enough room in the cookie for all the data, and using this would render my remember me function useless, and I worked hard to get it as secure as possible. So if what I've laid out in this post is correct, using a database wouldn't help in this situation.
If somebody would like to clarify this, or put me right, please do so.
Thanks.
