Session data security: what happens when session cookie & ci_sessions table don't match?

[eluser]aidehua[/eluser]
Thanks waldmeister.

So if I set a session variable "is_logged_in = TRUE" (perhaps a bit more realistic than "has_absolute_power = TRUE"), that value is stored in the database only, and I can be pretty confident that I can trust it?

I just tried an experiment. I wanted to see what was in my session, so I wrote this:

Code:

foreach ($this->session->userdata as $key=>$item):
                echo $key . ': ' . $item;
                echo '<br />';
        endforeach;

This returned the following:

session_id: 7df9aa7a983e43b1c0215b2e844a039a
ip_address: 127.0.0.1
user_agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Ap
last_activity: 1262938987
username: xxxxxx
logged_in: 1

Then I went directly to the database (using phpMyAdmin, so outside of CodeIgniter's scope) and changed the custom data manually so that the username was now "yyyyyy" rather than "xxxxxx".

Then when I ran this code again:

Code:

foreach ($this->session->userdata as $key=>$item):
                echo $key . ': ' . $item;
                echo '<br />';
        endforeach;

The print-out was as follows:

session_id: 7df9aa7a983e43b1c0215b2e844a039a
ip_address: 127.0.0.1
user_agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Ap
last_activity: 1262938987

i.e. ALL the custom session data was somehow removed from the session userdata array. (Same session_id, same ip_address & user_agent.)

BUT that data was still there in the database, including the amended custom data (username = 'yyyyyy').

When I went back to the database and changed the username back to 'xxxxxx', and ran the code again, the custom data was restored to the print-out:

session_id: a8e11d3422c5ca0b4b640d0982c09c2c
ip_address: 127.0.0.1
user_agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Ap
last_activity: 1262944815
username: [email protected]
logged_in: 1

What's going on there?