Include a sessions folder? |
in application/config/config.php in the sessions section there is the line
PHP Code: $config['sess_save_path'] = NULL; could this be changed to PHP Code: $config['sess_save_path'] = APPPATH.'/sessions'; and include a 'sessions' folder in the application? The problem is file sessions is the choice by default AND it works without setting the save path. Especially if you are developing and not closing and reopening your browser - sessions works perfectly without this set. I can appreciate the viewpoint that everyone should read every single line of the manual. But it seems like by just including one folder in application, and changing that one line - it would make it much easier for anyone trying to learn codeigniter and for people upgrading from CI 2. And if its not used then its just another empty folder like 'third_party'. Credit to @InsiteFX for helping people with this issue on the forum.
It can work without explicit configuration because there's a fallback to the session.save_path value from php.ini, which is way better than any empty directory that CI could have by default.
What I refer to with the word "better" is security.
If its not optimal to include a folder, then sessions should just be turned off by default. And add a couple of lines to the config with example paths for a session files folder. Even in the manual on the session library page there are no examples of how to do this.
The huge problem is that sessions working half way without explicit configuration is much worse then not working at all. Because it 'works' it would be very easy for it not to be caught during development - and then have the issue arise after a site or app goes live. (06-14-2016, 01:28 PM)cartalot Wrote: If its not optimal to include a folder, then sessions should just be turned off by default. And add a couple of lines to the config with example paths for a session files folder. Even in the manual on the session library page there are no examples of how to do this. All you'd accomplish by doing that is confuse people even more than they already are. Notice how many people posting in the forum do not read the documentation, and also how many people who know very little PHP. The way it is now is the best default configuration, and common to any framework. (06-14-2016, 01:28 PM)cartalot Wrote: If its not optimal to include a folder, then sessions should just be turned off by default. It is Off by default and has never been On. (06-14-2016, 01:28 PM)cartalot Wrote: And add a couple of lines to the config with example paths for a session files folder. Even in the manual on the session library page there are no examples of how to do this. Examples for what exactly? A directory path that is almost guaranteed to exist and be usable? Unless you're the only user on the server, all such paths are inherently insecure. Unless you're suggesting a random path that the user would have to create, there is no viable example. The user guide has one job in this regard - to explain what you need to consider - and it already does that. (06-14-2016, 03:34 PM)Narf Wrote: It is Off by default and has never been On. i meant change this: $config['sess_driver'] = 'files'; to something like this $config['sess_driver'] = NULL; because - unless i'm missing something - sessions works without any changes to the config. (06-14-2016, 03:34 PM)Narf Wrote: Examples for what exactly? A directory path that is almost guaranteed to exist and be usable? A couple of examples of what typically would be in $config['sess_save_path'] . It does not need to cover all cases. Just some samples to help people get started. (06-14-2016, 05:18 PM)cartalot Wrote:(06-14-2016, 03:34 PM)Narf Wrote: It is Off by default and has never been On. I don't see the point. If one loads the library without reading its documentation and not even looking at the config, it is very obvious that every other effort on our part is futile. (06-14-2016, 05:18 PM)cartalot Wrote:(06-14-2016, 03:34 PM)Narf Wrote: Examples for what exactly? A directory path that is almost guaranteed to exist and be usable? There is no "typical" would be value. It's a directory path, an absolute one (there's a warning for that in the config), and it has to be accessible ONLY by you. No such paths exist by default on any environment; the documentation shows how to create one. I don't know how else to explain this ... it's either "/foo/bar/" or nothing, and "/foo/bar/" helps nobody.
PHP.INI
session.save_path = "/tmp" CONFIG.PHP CODEIGNITER $config['sess_save_path'] = '/tmp'; |
Welcome Guest, Not a member yet? Register Sign In |