开发者

How does CodeIgniter know a cookie holds valid session data?

In CodeIgniter, session data are saved in a cookie by default.开发者_开发百科 But there must be also a file on my server (named as the session ID) to verify that the data (in the cookie) is valid, or am I wrong?

I'm searching for the location where the sessions are saved. I've already looked in the "session.save_path" directory (/var/lib/php5), but in this directory there are only other sessions, but not the CodeIgniter sessions.

I'm not saving the sessions in the database either, so how does CodeIgniter know that the data (in the cookie) is valid?


The native codeigniter installation overrides the regular PHP session handling and uses their own system of handling the data which is the reason why you are unable to find it in the normal places. (also I would mention that I personally find the way it is implemented a little insecure since ALL of your session data is stored directly in the users browser session cookie.)

You can do as Residuum has suggested and backtrack through the codeigniter session library and find where it is being stored, or you can override the session handling with something like OB_Session. (http://bleakview.orgfree.com/obsession/)

I would highly suggest that you install either OB_Session or something like it since it will then use the native PHP session handling and it will keep your cookies from either A) getting too large and crashing against the browser byte limit, or B) allowing sensitive user data to be stored client-side.

Finally, depending on what you are trying to do I would follow the CI user guide instructions and store the session data in the database. (http://codeigniter.com/user_guide/libraries/sessions.html) This would make it MUCH easier for you to work with the data and even update and extend what is stored by Codeigniter. Please keep in mind though that even if you store it in the database you STILL have to change to something like OB_Session since your cookie still holds all data even when changed to database.


The cookie contains an md5 hash of the session data and the encryption key of the cookie which is verified at loading the data, see system/libraries/Session.php, function sess_read() lines 140ff:

// Decrypt the cookie data
if ($this->sess_encrypt_cookie == TRUE)
{
   $session = $this->CI->encrypt->decode($session);
}
else
{
   // encryption was not used, so we need to check the md5 hash
   $hash  = substr($session, strlen($session)-32); // get last 32 chars
   $session = substr($session, 0, strlen($session)-32);
   // Does the md5 hash match?  This is to prevent manipulation of session data in userspace
   if ($hash !==  md5($session.$this->encryption_key))
   {
       log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
       $this->sess_destroy();
       return FALSE;
   }
}


This is not directly answering to your question, but I thought it might be useful to know.

Use the following to see PHP session.

print_r ($_SESSION);

Use the following to see CI session.

print_r ($this->session->userdata);


Just tested this today with Firebug..

To follow up on Shanee's answer, in CodeIgniter's "application/config/config.php" file, if one sets:

$config['sess_use_database'] = TRUE;

then only the default CI session data: session_id, IP_address.., is stored as a browser cookie.

Any additional custom data provided by the set_userdata() function, such as usernames and passwords, are no longer part of the cookie but are instead stored in your database.


When I speak of "sessions" below, I mean CI Sessions, not PHP sessions.

If you use the default option (which the manual says should not be used for sensitive data) then the answer to your question is that it doesn't know. It trusts the cookie.

To use it in the designed secure manner, you should use the database session option, as well as the encryption option. Using both of these options this is the answer to your question:

Only one value is stored in the cookie. That value is a serialized and encrypted array. That array contains four pieces of information.

  • 'session_id', => random hash
  • 'ip_address' => 'string - user IP address'
  • 'user_agent' => 'string - user agent data'
  • 'last_activity' => timestamp

The session ID is a random string. This is the string that is used to correlate with the data in the session table. The string is regenerated (and re-encrypted) every request and updated in the cookie and the table. If this doesn't match the session table value, the table data is inaccessible and will be caught in the built-in garbage collection.

Optionally, you can also enforce IP checking in the CI session class. This means that in addition to a random regenerating session id, they users IP must also remain consistent or the session will be destroyed.

Optionally, you can also enforce UA checking, and a timeout value.

Therefore, a traditional session file is never written in a cache folder. CI Cookie sessions are worthless for all but non-personal data, such as remembering UI states of a web interface. CI Database sessions are very flexible. If your PHP install includes Mcrypt, the security is robust as well. If you do not have Mcrypt, they are still reasonably secure, but wouldn't pass muster on, for example, PCI compliance.

You can read more in the CI manual, but this was a summary of the info I thought most relevant to your question.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜