[eluser]Silviu[/eluser]
Well, I plan to have quite some AJAX in my app...
LE:
What the risk about storing the user ID in a native PHP session? Won't this solve all my issues?
[eluser]WanWizard[/eluser]
NO.
Native PHP sessions are NOT secure!
If you would opt to use the third party CI implementation of (what's imho wrongly called) native sessions, it uses the same cookie mechanism as the CI library, so all above applies. And since the ajax issue is related to how the session id is rotated, this implementation suffers from the same issues as well.
In the backend however, PHP stores it's session in shared file space on disk, in a plain serialized array, with read/write access by your web server. So any application can access the session data without any difficultly. Securing this is not for the faint harted.
[eluser]Silviu[/eluser]
Then how can I handle the session rotation "issue" in regards of AJAX?
This seems to be the last "nail in the coffin" :-)
[eluser]WanWizard[/eluser]
Do a search for "is_ajax" and "sess_write", it has been discussed a lot in the past.
[eluser]WanWizard[/eluser]
Yes. Basically you need something that detects the ajax call, and you need to bypass the update call if it's an ajax call to prevent rotation.
Extending should be transparent for the application calling the class, providing the API doesn't change (which is the case here).
[eluser]Silviu[/eluser]
Ok, got it.
Thanks everyone for your helpful answers.
Regards, S.
[eluser]pickupman[/eluser]
In addition another method to Wanwizard's session library, which I am using, it also posted on [url="https://bitbucket.org/ellislab/codeigniter-reactor/issue/262/rapid-requests-during-session-updates"]Reactor Ticket#262[/url]. I linked the same thread, but another simple fix can be done to prevent session rotation during AJAX requests.