Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Session ID auto regeneration question
Session ID auto regeneration question
  • El Forum
    Guest
  •  
#1
09-12-2007, 09:08 AM

[eluser]Eric Cope[/eluser]
I am trying to use the CI session class. However, when I echo the session ID to the browser, it comes back the same every time. I expected the session ID to be different every refresh (based on Derek Allard's blog entry).

Does the CI session class support auto regeneration sessions?
If so, how can I verify that?

Thanks.
  • El Forum
    Guest
  •  
#2
09-12-2007, 10:01 AM

[eluser]Michael Wales[/eluser]
Derek's new Session Class support regeneration. This is not implemented in the current public release, but Derek provides instructions within that post of how to merge it into your current installation.

I've been using it for all of my projects since it was released - it's a great library that adds a lot of functionality to the Session class. Definitely a welcome addition.
  • El Forum
    Guest
  •  
#3
09-13-2007, 12:58 PM

[eluser]Derek Allard[/eluser]
Yup! Just grab a copy of the session.php from the repository. Its the only file you'll need.
  • El Forum
    Guest
  •  
#4
09-16-2007, 10:17 PM

[eluser]Eric Cope[/eluser]
I uploaded Derek's session.php file. The session ID still does not change at the rate I expected. When I dealt with PHP sessions, I could recreate the session ID on every reload. That is was I expected. Is that possible?
  • El Forum
    Guest
  •  
#5
09-16-2007, 11:02 PM

[eluser]Michael Wales[/eluser]
I believe the session is regenerated based on the cookie timeout variable found within config.php
  • El Forum
    Guest
  •  
#6
09-17-2007, 02:51 AM

[eluser]deviant[/eluser]
The session IDs are regenerated in the sess_update function, which is only called every 5 minutes by default. $config[’sess_time_to_update’] can be used to change the time between updates, or you could hack the code to update every page load by changing

Code:
/*
         *  Fetch the current session
         *
         * If a session doesn't exist we'll create
         * a new one.  If it does, we'll update it.
         *
         */
        if ( ! $this->sess_read())
        {
            $this->sess_create();
        }
        else
        {    
            // We only update the session every five minutes
            if (($this->userdata['last_activity'] + $this->time_to_update) < $this->now)
            {
                $this->sess_update();
            }
        }

to this

Code:
/*
         *  Fetch the current session
         *
         * If a session doesn't exist we'll create
         * a new one.  If it does, we'll update it.
         *
         */
        if ( ! $this->sess_read())
        {
            $this->sess_create();
        }
        else
        {    
            $this->sess_update();
        }
  • El Forum
    Guest
  •  
#7
09-17-2007, 04:52 AM

[eluser]Derek Allard[/eluser]
Yes, but no need to hack the code. The easiest thing to do (as you allude to) is just drop in a $config['sess_time_to_update'] into your config, right below all the rest of the database config options, and set it low.

That said, I don't think there is much additional security to be gained by changing it on every page load.
  • El Forum
    Guest
  •  
#8
09-18-2007, 11:27 PM

[eluser]Eric Cope[/eluser]
Thanks for the input. I appreciate all of your input.




Theme © iAndrew 2016 - Forum software by © MyBB