Using session class for secure logins

[eluser]BrianDHall[/eluser]
[quote author="tokyotech" date="1255774424"]Storing sessions in a database? This is outrageous. That's an additional disk access - 1,000 times slower than RAM access of a normal session variable.[/quote]

Um, no - on all counts. First of all if you are so concerned about performance you should read up on how sessions normally work in php: http://www.php.net/manual/en/session.installation.php

Note: By default, all data related to a particular session will be stored in a file in the directory specified by the session.save_path INI option. A file for each session (regardless of if any data is associated with that session) will be created. This is due to the fact that a session is opened (a file is created) but no data is even written to that file. Note that this behavior is a side-effect of the limitations of working with the file system and it is possible that a custom session handler (such as one which uses a database) does not keep track of sessions which store no data.

Unless you install shared memory functions and enable them, not storing sessions in the database is what generates additional filesystem activity.

As the PHP manual intones, not using a database to store sessions might actually be slower than the native implementation.

Also I don't see how you equate database access with filesystem accesses - MySQL uses as much memory as it does primarily to avoid disk access, and typically uses table caches in RAM to maximize performance.

Anyhow, it seems to me these aren't particular well researched or deeply held opinions - you just come off as unwilling to accept that CI requires only a few minor configuration changes to make it as secure as most people could ever want.