What's last situation with the CI Session Class?

[eluser]BufferOverflow[/eluser]
Still got bugs in IE? Also is it secure enough? Or should i use Hybrid Session?

[eluser]WanWizard[/eluser]
The session class never had any bugs with IE. Your configuration could though (IE doesn't like an underscore in the cookie name for example).
It is also very important to configure all settings properly, and according to the RFC specs. Browsers are getting more and more strict when it comes to cookie configuration.

It is a lot more secure than PHP own session management (which is not secure at all), so switching to something that uses that is a very bad idea. Don't forget to use database sessions (no user data stored client side), and to encrypt the session cookie with a random salt.

[eluser]BufferOverflow[/eluser]
Thanks for the fast reply. No IE bug and security issue? If so why there is something like that. Straight from the CI Wiki:

Code Igniter’s standard session library has many critics, enough to produce three or more competitors. Whatever the critics say, most have agreed that the library does provide a neat interface to session handling, is simple and intuitive to use and well documented.

Major weaknesses of the library:
Security : The User Data is stored in a cookie, client-side.
Security : The session is vulnerable to session fixation.
Usability : Enabling the session database does not actually store User-Data in the database!
Usability : Things like non-persistent sessions, flash variables and session id regeneration are not enabled.

The original reason Rick wrote the custom library was to avoid unpredictable results with PHP’s configuration and setup variances across hosts. A custom library (should) provide the developer with finer control and dependability.

Alternative Session Libraries For Version 1.7.2

Session Hybrid

Session Hybrid uses native PHP sessions, can store session data in the default Codeigniter database, works with codeigniter version 1.7.2 (Also: 1.7.0), and is a drop-in replacement for CodeIgniter’s session class.
It solves the major bug with Internet Explorer (all versions) that stops sessions working correctly.

At the time of testing, this is the only session libary that works correctly, and only requires one file to be rewritten.

[eluser]InsiteFX[/eluser]
Gee I am running FireFox, IE 7, IE 8, and IE 9 and have no problems with the CodeIgniter Session Library.

And since CI 1.7.2 and now CI 2.0.1

So where is the Problem?

As WanWizard stated you have to change the cookie name I use cisessions.

InsiteFX

[eluser]BufferOverflow[/eluser]
Then this wiki entry must change since it doesn't resemble current situation. But it seems there was problems in the past led the way to write other Session Libraries.

Anyway if there is no problem this is great! If i use Database Sessions in CI should i run a query to database and check the session id in database with the id in cookie?

[eluser]WanWizard[/eluser]
The wiki (content) is a major problem in itself. Nobody moderates and maintains it.
This specific page might have been true a long time ago (like CI 1.6 or earlier).

As for the named weaknesses:
- user data doesn't have to be stored client-side (it is by default so no database is required by default)
- the session cookie is encrypted, contains additional checks on IP and user agent (if enabled), and provides session id rotation (default every 5 minutes)
- see my first bullet

For PHP's own session management:
- it adds HTTP headers that might conflict
- it only uses a session_id
- the session id is not encrypted
- you have to manually deal with session fixation and session hijacking
- session data is stored in files, by default in a shared location on the server

As for everything you use, proper configuration, and knowing the restrictions of your environment, is important.

For example, there are still lots of people using 'localhost' to define the cookie_domain. According to the RFC, this is an illegal hostname, more and more browsers will reject the cookie if you use this.

[eluser]BufferOverflow[/eluser]
[quote author="WanWizard" date="1300462830"]The wiki (content) is a major problem in itself. Nobody moderates and maintains it.
This specific page might have been true a long time ago (like CI 1.6 or earlier).

As for the named weaknesses:
- user data doesn't have to be stored client-side (it is by default so no database is required by default)
- the session cookie is encrypted, contains additional checks on IP and user agent (if enabled), and provides session id rotation (default every 5 minutes)
- see my first bullet

For PHP's own session management:
- it adds HTTP headers that might conflict
- it only uses a session_id
- the session id is not encrypted
- you have to manually deal with session fixation and session hijacking
- session data is stored in files, by default in a shared location on the server

As for everything you use, proper configuration, and knowing the restrictions of your environment, is important.

For example, there are still lots of people using 'localhost' to define the cookie_domain. According to the RFC, this is an illegal hostname, more and more browsers will reject the cookie if you use this.[/quote]

Thanks for the clarifications and advices. But it says 1.7.2. It means it was not long time ago. We need to delete this entries. Otherwise someone like me could be caught and waste their time.

[eluser]WanWizard[/eluser]
It's already reported to Ellislab and the reactor team.

I'm very sure this wasn't an issue anymore with 1.7, because I used that version extensively. If you look at the web page referred to (http://bleakview.orgfree.com/obsession/), it was last updated over three years ago... My guess is the author just never bothered to check the progress...