Login

musicalangel · 01-25-2015, 06:59 AM

Greetings,

I start using CI when version 2.1.4 launch, soon i realize that, CI session library are using cookie(which store in client browser).

The question is, why using cookie?

Are cookie have many advantage than PHP native session?

Back into my collage ages, the web development bible always said, never trust cookie because it will cause security problems.

Until version 3.X, the session driver providing quite a lot of choices but no native session
is there a reason?

Hope development team can explain.

Thanks.

ivantcholakov · 01-25-2015, 12:41 PM

People make mistakes sometimes.

dmyers · 01-25-2015, 03:38 PM

I believe IIRC their session cookie had some kind of validation built in to make sure it wasn't modified. That said you are correct (just like vantcholakov said) it wasn't one of there best decisions. Only relying on the native session handler can present security issues if your not careful. CI3 will give you choices.

https://github.com/ProjectOrangeBox / https://github.com/dmyers2004

RobertSF · 01-25-2015, 05:06 PM

I don't know why that design decision was made, but fortunately, it's very, very easy to create a native session library. Here's a nice blog post that explains how. https://www.moreofless.co.uk/using-nativ...deigniter/

Hey, don't work without a PHP debugger. Several free IDEs have this features built in. Two are NetBeans and CodeLobster. Without a debugger, it's like you're driving with a blindfold on -- you are going to crash!

musicalangel · 01-25-2015, 05:18 PM

(01-25-2015, 05:06 PM)RobertSF Wrote: I don't know why that design decision was made, but fortunately, it's very, very easy to create a native session library. Here's a nice blog post that explains how. https://www.moreofless.co.uk/using-nativ...deigniter/

Thanks for the share, it not hard by googling the alternative solution.

I just wanna find out the philosophy of the session library Smile

ivantcholakov · 01-25-2015, 08:28 PM

Oh, then you have to research why they did not like PHP4 native session, this is waste of time.

***Narf*** · 01-26-2015, 03:32 AM

Huh ... I'm quite sure I wrote an answer to this yesterday. I guess I hit "Preview" instead of "Submit".

Long story short - I can give an educated guess about "why", but whoever made the decision is no longer involved with the project and it doesn't matter anyway. CI3 utilizes PHP's session handling features, so that's that.

musicalangel · 01-26-2015, 06:35 AM

(01-26-2015, 03:32 AM)Narf Wrote: Huh ... I'm quite sure I wrote an answer to this yesterday. I guess I hit "Preview" instead of "Submit".

Long story short - I can give an educated guess about "why", but whoever made the decision is no longer involved with the project and it doesn't matter anyway. CI3 utilizes PHP's session handling features, so that's that.

I know CI3 session driver have huge improvement, thanks for your great efforts.

But..., Can't you making fanboy a favor. please? Big Grin