Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers CodeIgniter Sessions are not real Sessions
CodeIgniter Sessions are not real Sessions
  • El Forum
    Guest
  •  
#1
11-30-2009, 03:15 AM

[eluser]n0-0ne[/eluser]
I've been programing PHP applications for a long time now but new to CodeIgniter (just reading the manual for the first time now to see it's capabilities).

and I was quite pazzled to see that the Session library save all the session data in a cookie.
this is bad practice, since session data should never leave the server and only the session identifier should be saved in a cookie.

I saw there is an option to secure the data using the database but many users will probably wont be aware for the dangers of using this feature without database validation.

this library should be split into a Cookie library (since without DB all it does is to offer advance cookie capabilities ) and a Session library forcing users to enable DB support for it.
a better solution (tho more time costly) would be to integrate the session library to work with php built in session handler function, improving them for better flexibility and security. thus eliminating the need for database use leaving it as an option to harden security on shared servers.
  • El Forum
    Guest
  •  
#2
11-30-2009, 03:57 AM

[eluser]esra[/eluser]
Check the wiki for the db_session library. There is also a db2_session library, but I have never used it. You can also use the native session library that saves session data to a file.
  • El Forum
    Guest
  •  
#3
11-30-2009, 05:45 AM

[eluser]Colin Williams[/eluser]
http://derekallard.com/blog/post/codeign...-database/
  • El Forum
    Guest
  •  
#4
11-30-2009, 01:59 PM

[eluser]n0-0ne[/eluser]
Yea I saw it in the code, but sessions should still be secure even if your not using a database.
this should be fairly trivial to set, using php built in session handlers.
I'll see if I can find the time to implement this.
  • El Forum
    Guest
  •  
#5
11-30-2009, 02:06 PM

[eluser]Colin Williams[/eluser]
Before you flex your coding muscles, peruse the Wiki. There are several libraries that provide native session handling (well, claim to).
  • El Forum
    Guest
  •  
#6
12-01-2009, 07:20 AM

[eluser]sudirman123[/eluser]
[quote author="Colin Williams" date="1259633191"]Before you flex your coding muscles, peruse the Wiki. There are several libraries that provide native session handling (well, claim to).[/quote]

Do you mean Page http://codeigniter.com/wiki/Category:Lib...::Session/ ?

I am also curious about Session handling in CI.
  • El Forum
    Guest
  •  
#7
12-01-2009, 10:48 AM

[eluser]BrianDHall[/eluser]
I highly recommend OB Session. http://codeigniter.com/wiki/OB_Session/

Extremely simple 1 file to over-ride CI session, makes sessions work like they should - store only session ID in the cookie if you use a database.

If you don't like storing in the database then I think Native Sessions is more your style.
  • El Forum
    Guest
  •  
#8
12-01-2009, 09:03 PM

[eluser]sudirman123[/eluser]
[quote author="BrianDHall" date="1259707736"]I highly recommend OB Session.[/quote]

Thanks for your respon.

I used EckoSession (and posted reply in http://ellislab.com/forums/viewthread/122237/).




Theme © iAndrew 2016 - Forum software by © MyBB