Why does CodeIgniter store so much data in it's cookie?

Question

I have CodeIgniter set to store sessions in the database but still it insists on the following being in a cookie:

a:4:{
 s:10:"session_id";s:32:"191668b039f27f1a4fa25586aaaf708e";
 s:10:"ip_address";s:14:"123.12.123.123";
 s:10:"user_agent";s:50:"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko";
 s:13:"last_activity";i:1336549698;
}9fed5a2005d9df3ccedff9589aa7d36f

All of this is also in the default_ci_sessions so I don't know why it's also going in the cookie! I'm asking because of the new EU cookie legislation about the local storage of user identifiable data. I'm not entirely sure this falls under the legislation but the concern has been raised.

Answer 1

I'm pretty sure this is to do with the CI Session class and the preferences you can set.

When the script checks the validity of the cookie, it (may) check the IP address and UA string against the current user agent data from the Input class, regardless of whether you are using the DB sessions or not (in sess_read()) to validate the cookie. If you are using the DB it also checks the DB data against the cookie data.

The script does this to prevent against hacking attempts - someone could theoretically guess or sniff the correct session_id, IP address or UA string, but all three would be much harder.

More here http://codeigniter.com/user_guide/libraries/sessions.html

Answer 2

This comes from CodeIgniter Session library's logic (as PyroCMS is built with CI). I currently can't tell you why it's made that way, but I also don't see a need to store such data separately in the cookie itself. I'll open a discussion on that and I'll post the link here to keep track.

Edit: https://github.com/EllisLab/CodeIgniter/issues/1344