Confused about sessions

[eluser]Colin Williams[/eluser]

You’re right. It appears that the session class does indeed match the cookie to the database entry. I had no idea… That’s quite strange, as I don’t think there’s any point in sending it to the browser and back again if the data is stored locally.

That can't be right... Really!?

[eluser]depthcharge[/eluser]
Cookie holds Session ID only surely?.

:bug:

[eluser]depthcharge[/eluser]
When using DB Sessions it stores the following clientside me thinks:

session_id
ip_address
user_agent
last_activity

from the session code: custom session data only written to database

Code:

// Write the cookie.  Notice that we manually pass the cookie data array to the
        // _set_cookie() function. Normally that function will store $this->userdata, but
        // in this case that array contains custom data, which we do not want in the cookie.
        $this->_set_cookie($cookie_userdata);

[eluser]jbawarren[/eluser]
...along with a serialized array in a another column. Whats cause for concern, for me, is that it doesn't appear that session data is encrypted at all in the tandem cookie. It appears that everything is mirrored, but unencrypted in the cookie? If that's the case, that's not very cool. Hopefully I'm over looking something.

[eluser]jbawarren[/eluser]
Actually, you're likely right depthcharge it doesn't appear that when DB is enabled that custom data is duplicated in the cookie.

Tested with:

Code:

<?php $this->session->set_userdata('test', 'noodle'); ?>
<?php echo $this->session->userdata('test'); ?>
<?php print_r($_COOKIE) ?>

...and "test" DIDN'T show up in the $_COOKIE array but did appear when I called it explicitly.

That's good news.

[eluser]TheFuzzy0ne[/eluser]
[quote author="Colin Williams" date="1243678262"]That can't be right... Really!?[/quote]

Yes, really. See for yourself.

[eluser]TheFuzzy0ne[/eluser]
OK, this thread has been causing me some issues, so I want to clear it up. Not all of the user data is sent in the cookie if database sessions are enabled - only data such as last activity, IP address, session ID and so on, which is matched against the same information in the database. Anything else is stored directly in the database, not the cookie, so with a cookie, 4KB is your store limit for data, and with database sessions, 65KB is the limit. Bear in mind that encryption will make a string considerably longer, so if encryption is enabled, you could hit the limits without realizing.

However, I'm quite sure it's possible to upgrade the field type to something bigger if you'd like to store more data.

I hope this makes things a little clearer for anyone who I confused.

[eluser]Dam1an[/eluser]
First of all, I told you so
Second of all, just to clarify, the encryption only takes place on the client end, so it's very unlikely to run out of room

[eluser]TheFuzzy0ne[/eluser]
I just misunderstood what you were saying. I thought you were saying the data was sent to both client and database, and the two were compared to ensure nothing had been touched. I'm glad it's cleared up now, though. Thanks.