• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Session encrypt and about overwrite config expiration

#1
Hi,

I've 2 questions about session.

Config:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'on_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = APPPATH . 'sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

Considering application folder over the public root (../cgi-bin/application/), so sessions should not be available by navigation.

1. It makes sense to encrypt session values (as user_id, remember_me_token, any other)?

2. If I want use 7200 timeout for general session, there are ways to set sessions with higher expiration time, by overwriting config value using $this->session->set_userdata?

Thank you!
Reply

#2
1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.

2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
Reply

#3
(01-01-2016, 06:54 PM)skunkbad Wrote: 1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.
Seems ok, I'll encrypt too. Thank you!

(01-01-2016, 06:54 PM)skunkbad Wrote: 2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
My mistake, wrong logic yesterday. I should use cookie+db to store remember me sessions. So don't real need this one. Thanks anyway. Big Grin



Another question: I've tried with $config['sess_expiration'] = 7200;. It works fine on user browser, but in the application/sessions/ it don't delete the old session files. I should provide check to delete older file with something like:

PHP Code:
 $files glob($config['sess_save_path']."*");
 $now   time();

 foreach ($files as $file) {
   if (is_file($file)) {
     if ($now filemtime($file) >= $config['sess_expiration']) {
       unlink($file);
     }
   }
 

?
Reply

#4
(01-02-2016, 03:22 AM)Gianluigi Wrote:
(01-01-2016, 06:54 PM)skunkbad Wrote: 1) I always encrypt my sessions with the encryption library. Whether you use files or database, the session data is on the server, and it makes me more comfortable knowing that the contents is encrypted.
Seems ok, I'll encrypt too. Thank you!

(01-01-2016, 06:54 PM)skunkbad Wrote: 2) Normally you would just set the sess_expiration in config/config. Do you mean that you would like some sessions to have a different sess_expiration value? You might be able to set the sess_expiration using $this->session->sess_expiration = n;, but I have never tried that.
My mistake, wrong logic yesterday. I should use cookie+db to store remember me sessions. So don't real need this one. Thanks anyway. Big Grin



Another question: I've tried with $config['sess_expiration'] = 7200;. It works fine on user browser, but in the application/sessions/ it don't delete the old session files. I should provide check to delete older file with something like:

PHP Code:
 $files glob($config['sess_save_path']."*");
 $now   time();

 foreach ($files as $file) {
   if (is_file($file)) {
     if ($now filemtime($file) >= $config['sess_expiration']) {
       unlink($file);
     }
   }
 

?

Old sessions are cleaned up with garbage collection, which CI does automatically at random intervals.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.