Menu
In CodeIgniter, session data are saved in a cookie by default. But there must be also a file on my server (named as the session ID) to verify that the data (in the cookie) is valid, or am I wrong?
I'm searching for the location where the sessions are saved. I've already looked in the "session.save_path" directory (/var/lib/php5), but in this directory there are only other sessions, but not the CodeIgniter sessions.
I'm not saving the sessions in the database either, so how does CodeIgniter know that the data (in the cookie) is valid?
529
Both of them accomplish much the same thing. The main difference between cookies and sessions is that information stored in a cookie is stored on the visitor's browser, and information stored in a session is not—it is stored at the web server. This difference determines what each is best suited for.
Add Session Data In PHP, we simply use $_SESSION array to set any data in session as shown below. $_SESSION['key'] = value; Where 'key' is the key of array and value is assigned on right side of equal to sign. The same thing can be done in CodeIgniter as shown below.
Session cookies are cookies that last for a session. A session starts when you launch a website or web app and ends when you leave the website or close your browser window. Session cookies contain information that is stored in a temporary memory location which is deleted after the session ends.
In fact, php does store the session in a cookie - a single cookie, usually called PHPSESSID . This corresponds to a file (the filename of which is the value of the PHPSESSID cookie) on the server which is a set of key/value pairs, such as those you outline above.
The native codeigniter installation overrides the regular PHP session handling and uses their own system of handling the data which is the reason why you are unable to find it in the normal places. (also I would mention that I personally find the way it is implemented a little insecure since ALL of your session data is stored directly in the users browser session cookie.)
You can do as Residuum has suggested and backtrack through the codeigniter session library and find where it is being stored, or you can override the session handling with something like OB_Session. (http://bleakview.orgfree.com/obsession/)
I would highly suggest that you install either OB_Session or something like it since it will then use the native PHP session handling and it will keep your cookies from either A) getting too large and crashing against the browser byte limit, or B) allowing sensitive user data to be stored client-side.
Finally, depending on what you are trying to do I would follow the CI user guide instructions and store the session data in the database. (http://codeigniter.com/user_guide/libraries/sessions.html) This would make it MUCH easier for you to work with the data and even update and extend what is stored by Codeigniter. Please keep in mind though that even if you store it in the database you STILL have to change to something like OB_Session since your cookie still holds all data even when changed to database.
135
The cookie contains an md5 hash of the session data and the encryption key of the cookie which is verified at loading the data, see system/libraries/Session.php, function sess_read() lines 140ff:
// Decrypt the cookie data
if ($this->sess_encrypt_cookie == TRUE)
{
$session = $this->CI->encrypt->decode($session);
}
else
{
// encryption was not used, so we need to check the md5 hash
$hash = substr($session, strlen($session)-32); // get last 32 chars
$session = substr($session, 0, strlen($session)-32);
// Does the md5 hash match? This is to prevent manipulation of session data in userspace
if ($hash !== md5($session.$this->encryption_key))
{
log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
$this->sess_destroy();
return FALSE;
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
