Database Information in clear text in $this->session.

[eluser]Icehawg[/eluser]
Doing some debugging, I wanted to check what was stored in my session. So I dumped out the contents of $this->session and saw all my settings from config - database including my database userid and password. I scoured the user guide, again, and did some google searching, to see if I missed a step in my setup that would block out db info but didn't see anything.

Have I made a mistake somewhere or is the db password config option supposed to be available in clear text in the session variable?

(I have already changed my files to use mcrypt in my config file and db driver class so my password is no longer visible in the session variable, but, I would like to know if I have humped something up somewhere so I can roll back the changes I have made to a core file.)

Thanks.

Note : I am using database sessions with encryption.

[eluser]WanWizard[/eluser]
Quite logical.

You're not dumping the session store, you're dumping the session object, which is the session library. Which contains all runtime variables, including a link to the database object. Which in turn contains its internal variables, like database name and password.

[eluser]Icehawg[/eluser]
Ah. Of course.

Alrighty then. Just making sure I didn't inadvertently add the data to the session with some errant code.

(still don't like having it there so I am leaving it encrypted)