Codeigniter , Session class is safe?

Asked

Viewed 423 times

1

Codeigniter has its own Session class, that is, it does not use PHP native Sessions.

Note: The Session class does not utilize Native PHP Sessions. It generates its Own Session data, Offering more flexibility for Developers.

You can set a Session as follows:

$data_session = array(
                              'id_login'                    => $id_user,
                              'nome'                         => $nome,
                              'userPermission'                   => 1       
                              );
$this->session->set_userdata($data_session);

My doubt is:

It’s really safe to use this class to record ID’s that should be secret?

Is there any counter-indication that we should not use this class?

  • What do you mean, don’t use native toilets? Codeigniter calls it the Session Library, as you can see for yourself they are a set of pre-written functions. We can follow on this link (http://www.codeigniter.com/userguide3/libraries/sessions.html#retrieving-Session-data) that $_SESSION['item'] and $this->session->item are the same thing...

  • 2

    @Rafaelwithoeft If I am not mistaken now with the version 3 that Codeigniter has integrated with the superglobal $_SESSION php being that in the previous versions the CI Sesssions were independent. Regarding the security of Sesssions, in this new version of the IC they were rewritten, but with the previous versions you can also set some security settings, such as session expiration, encryption key and other settings in the file config.php. I’ve heard several criticisms regarding the CI Sesssions, but it’s always nice to configure it before.

  • 1

    @Jhonatanoliveira, I didn’t know that in the previous versions they were independent (I don’t use Codeigniter). I went to research and found this information in the documentation so I asked why he says "do not use native Sesssions"... but thanks for the information, it is always good to know these differences. It would be good if he added this information to the question, I think it is very relevant...

2 answers

1

Without the proper care!

You can set some security options for your Session, such as an encryption key (hash) and modify the duration of the session (by default 1 hour).

A (obviously) not recommended situation is to leave the Session active after closing the browser, which was enabled by default in the file config.php or data recovery;

0

I believe that if you use an encryption (hash) and also , in the file config.php make false the option to leave the session active after browser shutdown

Browser other questions tagged

You are not signed in. Login or sign up in order to post.