CI Sessions

[eluser]Eclipse000[/eluser]
Hi everyone, CI is my first ever framework and I'm trying to get a grip on the sessions library. The documentation says that the session class should be initialized in the constructor of a controller, but lets say I have a function to check login credentials in that controller (and to which a form in some view points to). Based on the URL/controller/method/arguments format of CI url's, if my index() method displays a form for logging in, then when a user enters a url for the controller, a session gets created in my database even before they ever logged in by way of the session loader being in the constructor. What's worse is if someone visits the form page and then never logs in at all but just closes the browser window in which case an unnecessary record is added to the database. Am I understanding this correctly? And how can I go about initializing the session only after someone has truly logged in?

Thanks!

[eluser]CroNiX[/eluser]
That's normal. Native PHP sessions do that too. Everyone will have a session assigned to them, but when someone logs in your set a session variable and when they log out you destroy it, or destroy the session, which wipes out the session DATA (not the actual session). Only logged in users will have your session variable set so that's how you know they are logged in, not whether a session exists for them.

Behind the scenes, a session is basically an array. Everybody gets assigned an empty array when they visit the site, and that array follows them around from page to page. Then when they get authenticated (or whatever else you want to assign), you set a variable in the array that only they will have. So you can tell if they are logged in while others aren't.

[eluser]Eclipse000[/eluser]
Is there a way to prevent a record from automatically going into the database if they haven't filled out the form yet though?

[eluser]CroNiX[/eluser]
No, it's just an empty placeholder. Only the logged in ones will have whatever session variable you set when they successfully log in.

Code:

if ($name && $password match db data for user)
{
  $this->session->set_userdata('logged_in', TRUE);
}

Then everywhere else...

Code:

if ($this->session->userdata('logged_in'))
{
  //this person is logged in
}
else
{
  //unauthenticated user
}

Then to log them out

Code:

$this->session->unset_userdata('logged_in');

And they will no longer have 'logged_in' set

[eluser]CroNiX[/eluser]
If you're worried about them taking up space in your db...it's negligible, and expired sessions get destroyed after some time.

[eluser]Eclipse000[/eluser]
I see. Thanks! I was just thinking about the scenario where cookies are cleared on a browser or if people just close their browsers on pages that use sessions that are stored in a database in which case it seems the DB would fill up pretty quick with useless session records that are no longer useful. In that scenario, is there some recommended practice or technique to get rid of them? Or is that just a matter of regular DB maintenance and clearing?

UPDATE: the previous post answered this question.

[eluser]CroNiX[/eluser]
Expired sessions periodically get cleared by garbage collection automatically. You don't have to worry about it. This is the same as regular native PHP sessions, which create a file for each session on the servers filesystem instead of in the db. They get cleared by garbage collection too.

[eluser]Eclipse000[/eluser]
Ok, cool. One possibility I thought of was to just validate the form and once it passes then redirect to another URL which kicks off another controller that initiates the session, but was curious if there were a way to do it within a single controller, if that makes sense.

[eluser]CroNiX[/eluser]
1. have a login controller (processes login (validate), logout (clear), profile? (edit), etc)
2. login controller validates login form
3. if form successful, set session data (logged in variable, something like I showed above, maybe other things like user name, etc)
4. redirect elsewhere, if you want
5. from then on, if they are logged in, any session data you set will be available on any page that you check it that has sessions loaded. If you want to check site wide, I would autoload the session library.
6. on pages you want protected, check if logged in, if not redirect to login page

I'd suggest you check out some authentication packages that are already out there for CI before making your own, depending on your needs. Like user roles, permissions, etc.