Welcome Guest, Not a member yet? Register   Sign In
Nice Framework - but the SESSIONS are scaring me.
#21

[eluser]Xeoncross[/eluser]
[quote author="inparo" date="1217226542"]When CI retrieves the session, it splits the data again. The last 32 characters are the fingerprint, the rest is the data. It rehashes the data (with the encryption key) and compares it to the fingerprint. If they don't match, it kills the session (hacking attempt).[/quote]

ahhhhh....

So the data is safer than I thought - I forgot about doing it this way back when I first dropped cookies for sessions. (Just like the way OpenID handles stuff) Thanks Inparo.

However, people can still see data IN the cookie which might reveal more than you want about how your site works. (just as a minor closing note)

Well, that covers everything - Topic Closed
#22

[eluser]Crimp[/eluser]
Quote:However, people can still see data IN the cookie which might reveal more than you want about how your site works. (just as a minor closing note)

Don't forget that you can encrypt your session cookie with a simple setting in CI. It is perhaps more accurate to say that people can see the cookie and observe that it contains data, but the revelation in question arguably requires access to your encryption key, which is stored server side. If someone can get the key, decryption of the cookie is probably the least of your worries. And correctly guessing a 32 char or less string made up of mumbo jumbo is like winning the lottery 28 weeks in a row, or something.
#23

[eluser]beemr[/eluser]
Go get the latest from the svn trunk, CI 1.6.4 now stores userdata in the ci_session table instead of the cookie.
#24

[eluser]Xeoncross[/eluser]
[quote author="beemr" date="1219315178"]Go get the latest from the svn trunk, CI 1.6.4 now stores userdata in the ci_session table instead of the cookie.[/quote]

Great! I was hoping for that some time soon.




Theme © iAndrew 2016 - Forum software by © MyBB