[Note] codeigniter session

Because the HTTP protocol itself is stateless, when retaining the access status information of a user, the client must have a unique identifier to pass to the server. The unique identifier is the session ID, the cookie is stored in the client. Then, the server reads the user status information based on this identifier to save the session status. To start a session in PHP, run the following statement:

session_start();

 

1 -- when the client requests a request, some information is stored in the HTTP header and sent to the server. The first user access is used as an example:

Request headers
Accept: text/html, application/XHTML + XML, application/XML; q = 0.9, image/webp, */*; q = 0.8
Accept-encoding: gzip, deflate, SDCh
Accept-language: ZH-CN, ZH; q = 0.8
Cache-control: Max-age = 0
Connection: keep-alive
HOST: S. Local
User-Agent: Mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like gecko) Chrome/31.0.1650.63 Safari/537.36

 

2 -- after receiving the request, the server returns it to the client and adds the cookie request to the HTTP response, telling the browser to set a cookie named PHPSESSID with the value r887k5n4scg32d4ba34huuhmq7, for example:

Response Headers
Cache-control: No-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Connection: keep-alive
Content-Length: 0
Content-Type: text/html
Date: Sun, 08 Dec 2013 12:56:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-alive: timeout = 5, max = 100
Pragma: No-Cache
Server: Apache/2.2.11 (win32) PHP/5.4.7
Set-COOKIE: PHPSESSID = r887k5n4scg32d4ba34huuhmq7; Path =/
X-powered-by: PHP/5.4.7

3 -- when the client accesses the page of the website again, the browser will send the cookie to the server, and the server will read the file storing the session on the server based on the cookie value to get the session information, for example:

Request headers
Accept: text/html, application/XHTML + XML, application/XML; q = 0.9, image/webp, */*; q = 0.8
Accept-encoding: gzip, deflate, SDCh
Accept-language: ZH-CN, ZH; q = 0.8
Cache-control: Max-age = 0
Connection: keep-alive
COOKIE: PHPSESSID = r887k5n4scg32d4ba34huuhmq7
HOST: S. Local
User-Agent: Mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like gecko) Chrome/31.0.1650.63

To save the session status. However, you also need to note what happens if the session ID of user a is obtained? According to the above logic, if the obtained session ID is sent to the server during the request process, the server reads the file based on the session ID and finds that the file content exists, thus determining that the user is user, that is, the user status of user A can be obtained, and some sensitive operations may be performed. Therefore, during the session validity period, the user's authorization is obtained by obtaining the session ID, which is dangerous. Taking a local management system as an example, after logging on to chrome, the client cookie is displayed as follows:

 

If the session ID is obtained through some means, you can simulate sending the same cookie to achieve login. You can add cookies in Firefox. After you open firebug, create cookies in cookies. After you confirm, refresh the page and log on to the management system. For example:

Generally, the cookie can be obtained through JS, so you need to note the escape to prevent the data from being executed during presentation. Next let's take a look at the session in CI. There are several parameters related to session configuration in the configuration file, which affect session usage. They are:

// Name of the session stored in the cookie

$config[‘sess_cookie_name‘] = ‘ci_session‘;

// The validity period of the session

$config[‘sess_expiration‘]  = 7200;

// Whether the browser session is disabled or not

$config[‘sess_expire_on_close‘] = FALSE;

// Whether the session is encrypted and stored in the cookie

$config[‘sess_encrypt_cookie‘]  = FALSE;

// Whether it is saved in the database

$config[‘sess_use_database‘]    = FALSE;

// If the database exists, the database table name

$config[‘sess_table_name‘]  = ‘ci_sessions‘;

// Match the IP address

$config[‘sess_match_ip‘]    = FALSE;

// Match useragent

$config[‘sess_match_useragent‘] = TRUE;

// Update Time

$config[‘sess_time_to_update‘]  = 300;

The session that comes with CI does not have server-side file storage, and all information is stored in the client cookie. When you call $ this-> load-> Library ('session '); A session is started, that is, a cookie is set. The content of the cookie is as follows:

Array
(
[Session_id] => f05138a9513e3168cb0a57672cfe3b53
[Ip_address] => 127.0.0.1
[User_agent] => Mozilla/5.0 (Windows NT 6.1; wow64) applewebkit/537.36 (khtml, like gecko) Chrome/31.0.1650.63 Safari/537.36
[Last_activity] = & gt; 1386569398
[User_data] =>
)

 

When a request is sent from the client, the information is transmitted to the server in the HTTP header, and the server reads the session information from the HTTP header. Sessions can be implemented in the same way, but there are many uncertainties in this method. Let's talk about the following based on the source code:

1. If the session cookie data did not match what was expected appears in the log file. this cocould be a possible hacking attempt. two problems are described:. sess_encrypt_cookie is false, and session is not encrypted in cookie. B. verification fails after the cookie is read. When encryption/decryption and parameter processing are involved, the matching fails. If the matching fails, the session is cleared.

2. If sess_match_ip is true, when the client IP address changes, the session fails to be verified and the session is cleared.

3. The default value of sess_match_useragent is true. When the client's useragent changes, the verification fails and the sesion is cleared. In a simple example, If you access through the IE browser and switch to different ie modes, the agent is different, so the verification fails and the session is cleared.

As you can see, when any of the above situations occurs, the session will be cleared, and the logon fails or the logon page will jump. What if I do not want to encrypt, check IP addresses, or check useragent? Because cookies are stored on the client and must be sent to the server along with HTTP requests, too many cookies will affect the speed and completely waste bandwidth for some images and other resources; second, cookies can only store 4 K of data, which can be smaller after encryption.

[Note] codeigniter session