Reputation: 537
CodeIgniter sessions
Why is it recommended to store CodeIgniter sessions in a database table? I know it's about security but how?
why is it required to set an encryption key in the config when using the Session class? Are you supposed to decrypt the session?
Does $this->session->sess_destroy(); delete the entire cookie or just the data you put in the cookie? And does it end the session completely, by which I mean undoing
$this->load->library('session')?
Upvotes: 1
Views: 810
Answers (2)
Reputation: 25445
CI's sessions are, actually, cookies. Encrypted, but cookies nonethelesss. That's why is preferrable to store session in a database, because you're (supposedly) dealing with a less unreachable target from attacks, especially if you use Active Records wich automatically escapes your queries (so that SQL injections are avoided). Also, contrary to cookies, DB doens't have such limited amount of memory available, so you can store any amount of data you want there, cache the operations, and have them hidden from the frontend.
I'm not sure about why it is required, apart from the fact that some sessions datas are automatically encrypted by CI. So, even if you don't make use of the Encryption library, some encrypting is still caried one (while saving session ID, for example.). As Kai Qing correctly noted, you don't have to do any decryption on datas already handled by CI.
$this->session->sess_destroy() just deletes the data stored as sessions. While being also cookies, in order to delete the whole content you need to use the dedicated functions (look into the cookie helper, for example). Keep in mind, though, that when you call this function you delete also flash messages (as they are sessions), so if you just want to unset some elements, use unset_userdata($item).
It doesnt end the library loading, also. As for any other library, or class, or controller, or whatever, everything is re-loaded from zero after each request. Each time you make a request the scripts runs, reinitializes everything, and when the script ends all is lost like tears in the rain. That's the regular lifespan of a php script. If your script is not bound to end after you call the session->sess_destroy(), the session library will be still loaded, though the data will be erased.
Upvotes: 3
Reputation: 18843
To answer your first question - It is recommended to store via DB to minimize the data found in the session and reduce the risk of foolishness - like a helper. Since DB stored sessions will only store the id in a cookie, the information available is reduced to an unusable bit of information.
You don't need to decrypt anything. The engine handles that for you.
as for destroy - I don't know exactly. But I imagine a simple var_dump would answer that.
Upvotes: 2