Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers PHP Native Session
PHP Native Session
  • El Forum
    Guest
  •  
#1
09-20-2012, 08:12 AM

[eluser]batfastad[/eluser]
Hi everyone

I would really like to use PHP's native session library instead of CI's session library. This is for a variety of reasons, mainly security. I really don't like the idea storing all session data in cookies on the user's machine, it's much better to store on the server. Also DB session storage relies on DB connectivity/latency.

The session id should be the identifier to the information that dictates whether a user is logged in or not, so to leave this on a user's machine where it can be (theoretically) tampered with, seems like a bad idea to me. To not be able to achieve the maximum available "randomness" of the session id is really not good.
I always ensure I have the following options set in php.ini:
Code:
session.entropy_file = /dev/urandom, session.entropy_length = 256, session.hash_function = sha512

I've found this library which looks perfect... https://github.com/EllisLab/CodeIgniter/...ve-session
It seems like a drop-in replacement for the supplied sessions library.
Does anyone know if this is still maintained and does it work with CI 2?

Is that wiki page the only source for this library? Or is there a more up to date version?
There are a few modifications I'm thinking about that would provide access to some of PHP's session options that are currently not exposed by this library.

Thanks, B
  • El Forum
    Guest
  •  
#2
09-20-2012, 08:33 AM

[eluser]WanWizard[/eluser]
You don't have to use the cookie based sessions in CI. It isn't even recommended you so do. It's only set as default so you have a working framework without the need to configure a database.

Native sessions are necessarily secure, or more secure. On the contrary. CI's cookie are encrypted, and therefor relatively safe. Native sessions are files on your server that are readable for anyone with access. And depending on your setup that is your application, all your applications, or all applications from anyone on the server. Not what I would call "secure"...
  • El Forum
    Guest
  •  
#3
09-20-2012, 09:32 AM

[eluser]batfastad[/eluser]
Anyone who has access to the server could also have access to CI's session/cookie encryption key, allowing cookies to be decrypted.
They would also have access to your database settings and your whole application, so cookie security would become the least of your worries.

Storing session data on the server is surely more secure than storing it with the client, where it would be sent backwards and forwards with each HTTP request.
  • El Forum
    Guest
  •  
#4
09-20-2012, 04:26 PM

[eluser]WanWizard[/eluser]
I'm pretty sure I started by saying you shouldn't use cookie based sessions.




Theme © iAndrew 2016 - Forum software by © MyBB