Welcome Guest, Not a member yet? Register   Sign In
PHP Sessions vs. CI Sessions
#1

[eluser]Dan Allen (Houston, TX)[/eluser]
Hi,

Is there a reason not to use php sessions instead of CI Sessions? I always thought the session array in PHP was a handy place to store data related to a session. It looks like CI sessions default to a few fields, where you can add other fields via a user data array. How is this better than just using $_SESSION['user data item 1'], $_SESSION['user data item 2'], $_SESSION['user data item 3'], etc?

Any comments or assistance will be extremely much appreciated.

Thank you,
Dan
#2

[eluser]Davcon[/eluser]
In short, native PHP sessions work and CI sessions don't.

I think your best bet is to install Native Session.
#3

[eluser]CroNiX[/eluser]
@Davcon If that were true none of my sites would work.
#4

[eluser]Davcon[/eluser]
Well, I'm sure the person who wrote Native Session didn't do it for fun.
#5

[eluser]Dan Allen (Houston, TX)[/eluser]
Thanks for responding, I really appreciate this.

I have dug into CI sessions enough to believe they work just fine. I think the problems people have stem from complications in configuration, but that is just a guess.

The thing I do not get is, "what is the intended benefit of CI Sessions?" To me, it seems like they create levels of activity that are not providing any benefit beyond basic php sessions. So, people use them, have problems, say "they don't work."

My question is, even if they work, so what? What do they offer?

php sessions save values relating to a session. What else do you need in a session?

I am assuming I am missing the point.

Any additional comments/suggestions etc. will be extremely much appreciated.

Thanks.
#6

[eluser]Davcon[/eluser]
I think the code for CI sessions is a bit easier to work with.


I haven't used CI sessions for couple of years but the problem that I and many others experienced was that you could log into a private area, log out the hit the back button and still see the private page.
#7

[eluser]CroNiX[/eluser]
On shared hosting it offers much higher security as you aren't sharing a common session directory with all other hosts on the server (hijacking). CI Sessions also automatically regenerate their session ID and native sessions don't unless you manually tell it to, which can allow for session fixation attacks.
#8

[eluser]CroNiX[/eluser]
[quote author="Davcon" date="1334437801"]I haven't used CI sessions for couple of years but the problem that I and many others experienced was that you could log into a private area, log out the hit the back button and still see the private page. [/quote]That's a browser cache issue, not a session issue. And it only shows the data from the last accessed page. It doesn't relog you back in or anything. As soon as you try to do anything and send a new request it discovers you aren't logged in and denies you, depending on how well your app is coded.
#9

[eluser]Dan Allen (Houston, TX)[/eluser]
Well, here is what I am thinking of, looking for comments:

1. Add to /index.php as first line of php: session_start()
2. Create library in /application/libraries with functions for
.. Create user (encrypts password)
.. login($username, $password) (handles encryption)
.. logout()
.. delete($user_id)

Note: using SimpleLoginSecure as the starting point for library, with changes.
Link to SimpleLoginSecure:
http://codeigniter.com/wiki/SimpleLoginSecure

Change to SimpleLoginSecure:
1. In Login function, where CI_Session data gets set, add: $_SESSION['Login'] = **array of data for this session**;
2. In Logout function, where CI_Session destroy is called, add: $_SESSION['Login'] = false;


CI_Session is operating, but controllers and views are pulling session data from php, including status, username, role, etc., instead of CI_Session.

Good idea? Bad idea?

I would rather people here tear down this idea than have it break down under production pressure.

#10

[eluser]skunkbad[/eluser]
I have a lot of experience with PHP sessions and CI sessions, and I think PHP sessions are easier to work with, but CI sessions are now my preferred session. I've coded at least 25 thousand lines (probably more like 50K) of code in the last year, and can say that CI sessions do work. If they are not working for you, then I don't know what to tell you. Don't quit your day job.

I think the best parts of CI session is that you don't store any data on the server. All of the data is on the client machine (unless you are using the db option), and it can be encrypted via the config options in config/config. CI session flashdata is easily used as form tokens, although CI now has a CSRF token that effectively does the same thing. I just prefer my own tokens because the CSRF error is like hitting a brick wall. With CI sessions I don't have to worry about the scalability of the website. Another thing is that you may find it impossible to pass PCI compliance if you are using PHP sessions. I just say that because of the last PCI compliance scan I had the pleasure of seeing was mentioning something about PHP sessions.

If you use PHP sessions on a shared server, you need to make sure you save the session data to something that is within your directory, and not the default location, which is basically accessible to everyone on the server.




Theme © iAndrew 2016 - Forum software by © MyBB