Session libraries?

[eluser]Jonny Noog[/eluser]
Hello,

I've read a large number of posts on this forum regarding the built in CI sessions class as well as a few of the community driven alternatives but I'm having trouble discerning what may be current and what may be outdated information. It seems like a lot of the talk regarding sessions appears to date back to CI versions 1.5 or 1.6.

So I'm hoping I can get comment from some of the more experienced people here in relation to what library you use for your session requirements these days? Do you use the built in CI session class? Or one of the alternatives? I was kind of liking the idea of something like Native_session as it uses the built in PHP session mechanism, but was really wanting to find out what the community currently recommends.

[eluser]Dam1an[/eluser]
I currently stick to using the native CI session library, but then again my session needs are very basic
What exactly do you need of sessions, it might help people make better recomendations if they know what you need from the session library

[eluser]Jonny Noog[/eluser]
Well, I'm really looking for a solution where I can still use cookies, but be as secure as possible considering that I'll still be using cookies.

The reason I mentioned liking the idea of Native_session is because I'm using Suhosin on our production server and my understanding is that Suhosin transparently encrypts native PHP session cookies. So for this reason, something like Native_session looks attractive. But I also don't really want to be using outdated or unmaintained libraries.

I know that you can also encrypt session cookies with the CI Session class, but I have yet to find out what encryption algorithm it uses.

[eluser]Peccavio[/eluser]
[quote author="Jonny Noog" date="1240937122"]I mentioned liking the idea of Native_session ... But I also don't really want to be using outdated or unmaintained libraries.[/quote]

I have worked extensivey with Native_session although currently I'm not up to date with CI.
The code, it's author was well talented, he is no longer around. but good code is good code. I like it's features.

There is also a db version with the same API but CI has since upgraded the MySQL requirement.
This resource would require some testing and updating to use.

It is easy to encrypt a value before storing it to a cookie or session variable.

[eluser]Jonny Noog[/eluser]
Thanks, I appreciate the information.

[quote author="Peccavio" date="1240943740"]... It is easy to encrypt a value before storing it to a cookie or session variable.[/quote]

Yeah, I guess I'm really just wanting to find out what's already out there and recommended that I can leverage off and save myself a bit of time (this is, after all the main reason for using a framework) but at the same time don't want to end up going down a wrong path that will end up costing me time.

[eluser]skunkbad[/eluser]
I really don't understand the value of using CI's sessions vs. standard php sessions. I am very comfortable using standard php sessions, and am not really fond of storing all session data in a cookie (encrypted or not). The user guide says, "The Session class does not utilize native PHP sessions. It generates its own session data, offering more flexibility for developers.", however the user guide doesn't specify what this flexibility is.

I'm probably going to extend the session class to use native php sessions, or include native sessions as needed.

One thing that is curious is that if I var_dump the CI session, even on a page load that had no previous CI session, the output of var_dump is a HUGE amount of data. Is this normal?

[eluser]Dam1an[/eluser]
Using CI session, you don't need to store it in the cookie, you can store it in the database, and use the cookies session id as the PK
One thing I know CI sessions have that native don't is flashdata, although there are libraries for this using native sessions

[eluser]Peccavio[/eluser]
[quote author="Dam1an" date="1243037863"]One thing I know CI sessions have that native don't is flashdata, although there are libraries for this using native sessions[/quote]

Originally CI sessions was cookie based, Native Sessions library was the first to introduce flashdata, then db Sessions came along to use database for the session data while api compatable to Native Sessions. CI incorporated these features into the core.

I personally like Native Sessions, it gets past the size/security issues of a cookie without resorting to using the db. You can still use set_cookie().