We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

CodeIgniter Sessions are not real Sessions

November 30, 2009 5:15am

Subscribe [5]

  • #1 / Nov 30, 2009 5:15am

    n0-0ne

    3 posts

    I’ve been programing PHP applications for a long time now but new to CodeIgniter (just reading the manual for the first time now to see it’s capabilities).

    and I was quite pazzled to see that the Session library save all the session data in a cookie.
    this is bad practice, since session data should never leave the server and only the session identifier should be saved in a cookie.

    I saw there is an option to secure the data using the database but many users will probably wont be aware for the dangers of using this feature without database validation.

    this library should be split into a Cookie library (since without DB all it does is to offer advance cookie capabilities ) and a Session library forcing users to enable DB support for it.
    a better solution (tho more time costly) would be to integrate the session library to work with php built in session handler function, improving them for better flexibility and security. thus eliminating the need for database use leaving it as an option to harden security on shared servers.

  • #2 / Nov 30, 2009 5:57am

    esra

    485 posts

    Check the wiki for the db_session library. There is also a db2_session library, but I have never used it. You can also use the native session library that saves session data to a file.

  • #3 / Nov 30, 2009 7:45am

    Colin Williams

    2601 posts

    http://derekallard.com/blog/post/codeigniter-session-changes-when-using-a-database/

  • #4 / Nov 30, 2009 3:59pm

    n0-0ne

    3 posts

    Yea I saw it in the code, but sessions should still be secure even if your not using a database.
    this should be fairly trivial to set, using php built in session handlers.
    I’ll see if I can find the time to implement this.

  • #5 / Nov 30, 2009 4:06pm

    Colin Williams

    2601 posts

    Before you flex your coding muscles, peruse the Wiki. There are several libraries that provide native session handling (well, claim to).

  • #6 / Dec 01, 2009 9:20am

    sudirman123

    2 posts

    Before you flex your coding muscles, peruse the Wiki. There are several libraries that provide native session handling (well, claim to).

    Do you mean Page http://codeigniter.com/wiki/Category:Libraries::Session/ ?

    I am also curious about Session handling in CI.

  • #7 / Dec 01, 2009 12:48pm

    BrianDHall

    760 posts

    I highly recommend OB Session. http://codeigniter.com/wiki/OB_Session/

    Extremely simple 1 file to over-ride CI session, makes sessions work like they should - store only session ID in the cookie if you use a database.

    If you don’t like storing in the database then I think Native Sessions is more your style.

  • #8 / Dec 01, 2009 11:03pm

    sudirman123

    2 posts

    I highly recommend OB Session.

    Thanks for your respon.

    I used EckoSession (and posted reply in http://ellislab.com/forums/viewthread/122237/).

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register