Using session class for secure logins

[eluser]BrianDHall[/eluser]
1- Use encrypted cookies, then they are relatively secure. For real security, enable sessions in the database - no session data is then sent to the client.

2- To the last question, no - CI's library uses it's own implementation of sessions, and uses none of PHP's native session functionality. It also implements session ID regeneration for precisely this reason.

3- Actually, on the page you quote they say no such thing. They note explicitly that it could break some people's ability to use sessions due to the behavior of HTTP proxy clusters. They also note that it is merely an extra layer of inconvenience, not a de facto "you must do this for security" - it certainly isn't required for even PCI compliance when credit card data is involved.

Also, CI permits IP-locking of sessions with a simple configuration change, but again with the proviso that it will break some people's ability to use your website.

4- Session logs if used with a database are a non-issue regardless of environment, and for session logs on shared webhosts you would of course want encrypted cookies as you can never be sure someone else can't access the apache logs your website uses and/or be able to monitor headers for spying on cookie data.

For closing thoughts, security must be a question you ask of any software. CI provides a far more secure and robust solution than available in PHP itself and requires only minor configuration tweaks to use them - they aren't on by default because some people simply don't want them or have no need for them.