Question in regards to storing sessions in the database

[eluser]bastones[/eluser]
Hi all,

I'm trying to figure out why you would be required to store session data in the database for "added security"? As far as I understand a PHPSESSID is stored on the visitor's computer and when you verify that existence of $_SESSION['username'], PHP checks for the value of "username" that would be stored on the server corresponding to the PHPSESSID the browser sent to the server.

First of all, what is the difference between this and CodeIgniter's session system? Cause right now I don't understand why sessions are needed to be stored in the database or why otherwise "an old session could be restored by a user modifying their cookies" as stated in the documentation?

Could someone elaborate please.

Thanks,
Ben.

[eluser]tomcode[/eluser]
CodeIgniter's session works with cookies. I cannot tell You why, but it works for me and I never encountered any problems.
This means that by default the data is stored on the client's machine.
To keep the data on the server (security, speed, size limitation) You need to store it in the database.
Once activated and when doing a lot of manipulations, You might consider grouping them, since for every call a db query is triggered, activate the profiler to see the details.
There always used to be alternative solutions based on PHP sessions, often called native session.

[eluser]WanWizard[/eluser]
EVERY session solution works with cookies. It's the only way to link a specific browser session to server-side data.

PHP's own solution stores the session id unencrypted and unsecured in a cookie, which makes it very easy to hijack the cookie and steal someone else's session. CI's cookie is encrypted, and contains extra hijacking countermeasures like the user's IP and browser identification, makeing it difficult to use a stolen cookie.

There are third-party libraries available that replace CI's session library. Some of them use CI's cookie mechanism (which is a good thing), other PHP's solution (which is a bad thing). The 'native session' library does the good thing, but also uses PHP's standard session storage on the server. Which might be a very bad idea if you're on a not properly secured shared server, as every PHP script is able to read all session files, also from other websites running on that same host, unless special precautions have been taken.