Welcome Guest, Not a member yet? Register   Sign In
Session encrypt and about overwrite config expiration
#1

(This post was last modified: 01-01-2016, 05:19 PM by Gianluigi.)

Hi,

I've 2 questions about session.

Config:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'on_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = APPPATH . 'sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

Considering application folder over the public root (../cgi-bin/application/), so sessions should not be available by navigation.

1. It makes sense to encrypt session values (as user_id, remember_me_token, any other)?

2. If I want use 7200 timeout for general session, there are ways to set sessions with higher expiration time, by overwriting config value using $this->session->set_userdata?

Thank you!
Reply
#2

1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.

2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
Reply
#3

(This post was last modified: 01-02-2016, 03:24 AM by Gianluigi.)

(01-01-2016, 06:54 PM)skunkbad Wrote: 1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.
Seems ok, I'll encrypt too. Thank you!

(01-01-2016, 06:54 PM)skunkbad Wrote: 2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
My mistake, wrong logic yesterday. I should use cookie+db to store remember me sessions. So don't real need this one. Thanks anyway. Big Grin



Another question: I've tried with $config['sess_expiration'] = 7200;. It works fine on user browser, but in the application/sessions/ it don't delete the old session files. I should provide check to delete older file with something like:

PHP Code:
 $files glob($config['sess_save_path']."*");
 $now   time();

 foreach ($files as $file) {
   if (is_file($file)) {
     if ($now filemtime($file) >= $config['sess_expiration']) {
       unlink($file);
     }
   }
 

?
Reply
#4

(01-02-2016, 03:22 AM)Gianluigi Wrote:
(01-01-2016, 06:54 PM)skunkbad Wrote: 1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.
Seems ok, I'll encrypt too. Thank you!

(01-01-2016, 06:54 PM)skunkbad Wrote: 2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
My mistake, wrong logic yesterday. I should use cookie+db to store remember me sessions. So don't real need this one. Thanks anyway. Big Grin



Another question: I've tried with $config['sess_expiration'] = 7200;. It works fine on user browser, but in the application/sessions/ it don't delete the old session files. I should provide check to delete older file with something like:

PHP Code:
 $files glob($config['sess_save_path']."*");
 $now   time();

 foreach ($files as $file) {
   if (is_file($file)) {
     if ($now filemtime($file) >= $config['sess_expiration']) {
       unlink($file);
     }
   }
 

?

Old sessions are cleaned up with garbage collection, which CI does automatically at random intervals.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB