Session handling

[eluser]Nick Jennings[/eluser]
I was reading the documentation and maybe it's just not completely clear, but my interpretation was that it stores the session data *both* in the cookie /and/ in the DB. Then compares the session ID and if it doesn't match, it destroys the session.

This was still keeps the userdata both in the DB and in the cookie. No?

It's very probable my understanding is wrong (I'm new to code igniter), but if so I think it might help to clarify this in the documentation.
-Nick

[quote author="majidmx" date="1228905036"]First of all, in PHP's native session handling, the Session_id should be passed to server.
It's either saved in user's cookie which is mostly the default way and most of the people are not aware of it.
or it should be passed through URL.
But basically there should be a way that server can recognize the same client.
In either ways, with knowing the session_id wasn't that much hard to do some nasty stuff on PHP's native session, which had made it a little bit unsecure.

In CodeIgniter, as Eric mentioned, you can save the information in Cookie and encrypt them.
But if you're not a fan of client-side storing, you can save all the session information in Database.
Again, even in this way, session_id will be saved in user's cookie. But user's data will be saved in the Database, as you can see in the manual :
http://ellislab.com/codeigniter/user-gui...sions.html
and by taking a look at the structure of `ci_sessions` table, you can easily find that the data is saved in the `user_data` field for corresponding `session_id` which comes from cookies.

Hope it helped.
MajiD Fatemian[/quote]