flash_data safety

[eluser]newtonianb[/eluser]
Can flash_data be tempered with by a user is it local or server storage?
I would like to store user submitted information in flash_data and use it in a different controller that gets redirected and I don't want to have to repeat the data validation again in this second controller as long as the data remained safe across the redirect.

[eluser]WanWizard[/eluser]
You can tamper with everything, but in this case it's not going to be easy.

If you use the session library without the database, session data is stored in a cookie, client side. If you use the database, no session data is send to the client.
In either case, don't forget to encrypt the cookie, and use an encryption key with enough entropy.

[eluser]newtonianb[/eluser]
Thanks WanWizard!
When you talked about database, do you mean I can specify an option for flash data to use database instead of cookie? Or did you mean I can implement my own system and manually insert data into database?

[eluser]WanWizard[/eluser]
I meant the session library using a database table for session storage. This is described in the manual. No need to waste time developing something yourself.

[eluser]newtonianb[/eluser]
ah thats awesome thanks alot

[eluser]Burak Guzel[/eluser]
Storing session data on client side is not such a good idea, mainly for security reasons. Not sure why the CI team went with that as the default option.

I have used native sessions for years, and they are always server-side by default.

[eluser]newtonianb[/eluser]
Burak, how are the performance difference, is the load on the server very much more if we use database?
Also does it make any sense to use session encryption if we are storing in database?

[eluser]Burak Guzel[/eluser]
On high traffic websites, it is not a good idea to use mysql for session storage. We prefer to use memcached, which is very fast and scalable.

But on small websites, it's not a big deal.

And no, you generally don't really need to encrypt session data, if stored server-side, as it's not something that surfers can access directly.

[eluser]WanWizard[/eluser]
[quote author="Burak Guzel" date="1276743430"]Not sure why the CI team went with that as the default option.[/quote]
CI, out of the box, is not database driven. Making it a default is not very handy. Besides that, it's well documented.

CI only encrypts the part that goes to the client, not the data in the database.

[eluser]cahva[/eluser]
The thing is, that CI should have option to use native session or database for sessions in the first place. Error is the cookie based session as default which is kind of dum.