Menu
Why does the session Id need to be updated at all in CodeIgniter. I know you can control how often the session id is updated in the config. But why do they change the id of the session every 5 min (by default)?
Why can't an session be created once and it use the same id till the session expires?
The function that updates the session is here:
/**
* Update an existing session
*
* @access public
* @return void
*/
function sess_update()
{
// We only update the session every five minutes by default
if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
{
return;
}
// Save the old session id so we know which record to
// update in the database if we need it
$old_sessid = $this->userdata['session_id'];
$new_sessid = '';
while (strlen($new_sessid) < 32)
{
$new_sessid .= mt_rand(0, mt_getrandmax());
}
// To make the session ID even more secure we'll combine it with the user's IP
$new_sessid .= $this->CI->input->ip_address();
// Turn it into a hash
$new_sessid = md5(uniqid($new_sessid, TRUE));
// Update the session data in the session data array
$this->userdata['session_id'] = $new_sessid;
$this->userdata['last_activity'] = $this->now;
// _set_cookie() will handle this for us if we aren't using database sessions
// by pushing all userdata to the cookie.
$cookie_data = NULL;
// Update the session ID and last_activity field in the DB if needed
if ($this->sess_use_database === TRUE)
{
// set cookie explicitly to only have our session data
$cookie_data = array();
foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
{
$cookie_data[$val] = $this->userdata[$val];
}
$this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));
}
// Write the cookie
$this->_set_cookie($cookie_data);
}
488
This is for security reasons to prevent spoofing. The session is encrypted and stored into your Cookies. Anyone can copy your Cookie and go to another PC and be logged in.
Let's say that the session doesn't expires. This means that if I am to your PC and steal your cookie, I can login from anywhere as I have your session id encrypted in the Cookies. If the framework renew the session every 5 minutes, this is almost impossible to happen.
If you don't like the way that this works you can always create your own library for Sessions by extending the one from the core system of Codeigniter. Although this is not suggested.
105
This is a security feature.
google for
Session Hijacking session fixation
For example you should at least change the session id when user log into your system.
A user who creates a new session by logging in should be assigned a fresh session ID using the session_regenerate_id function. A hijacking user will try to set his session ID prior to login; this can be prevented if you regenerate the ID at login.
you can read more about session security here:
php security best practices
how-to-create-bulletproof-sessions
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
