Do Codeigniter people simply have no f*cking clue?

[eluser]behnampmdg3[/eluser]
Don't get me wrong. I am just quoting. I am a big CI fan but this is the third time I am running into something like this. If there is anyone who can do reply to this guy in It's Devshed Forum, then write something. My whole business is based on sessions!

Code:

$config['sess_cookie_name']        = 'ci_ses_C-FlatmateSES';
$config['sess_expiration']        = 720000;
$config['sess_expire_on_close']    = FALSE;
$config['sess_encrypt_cookie']    = TRUE;
$config['sess_use_database']    = FALSE;
$config['sess_table_name']        = 'ci_ses_C-FlatmateSES';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']    = 300;

If CI lets you use standard sessions instead of their homegrown stuff, please do that. I haven't read the whole code, but what I've seen is f*cked up badly. They don't even lock the sessions to prevent concurrent requests from trampling each other. The so called "encryption" is also one of worst things I've seen in this area. The so called "key" is derived from the serialized session parameters (session ID, IP address etc.). And after they've made sure to screw up every aspect of cryptography (they even halve the key length), they store this very key data next to the "encrypted" data. What-the-f*ck?

This isn't a key under the doormat. It's a key in the door lock with a sign saying "I'm on vacation for the whole year".

Was the NSA involved in the development of CI? Is this the next Dual Elliptic Curve Deterministic Random Bit Generator? Or do those people simply have no f*cking clue?

For the future, consider using a different framework ...

It's here