Example analysis of the session usage of CodeIgniter configuration _php Example

Source: Internet
Author: User
Tags session id sessions webp codeigniter

This example describes the session usage of the CodeIgniter configuration. Share to everyone for your reference, specific as follows:

Just use CodeIgniter was also one of the session confused, and then no longer have no use CI from the session, presumably still need to tidy up the session. To figure out the session in CI, let's say how the session in PHP works. Because the HTTP protocol itself is stateless, when a user's access state information is retained, the client is required to have a unique identity passed to the server, which is the session ID, stored in the client's cookie, and then the service side reads the stored User state information according to the identity. Achieves the purpose of saving session state. To start a session in PHP, you need to execute the following statement:

Copy Code code as follows:
Session_Start ();

1, each request of the client will have some information stored in the HTTP header sent to the server, the user's first visit as an example:

Copy Code code as follows:
Request Headers
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-encoding:gzip,deflate,sdch
accept-language:zh-cn,zh;q=0.8
Cache-control:max-age=0
Connection:keep-alive
Host:s.local
user-agent:mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63 safari/537.36

2, the service received the request processing and returned to the client, and in the HTTP response add cookies to the request, told the browser needs to set a cookie,cookie named Phpsessid, Value is r887k5n4scg32d4ba34huuhmq7, such as:

Copy Code code as follows:
Response Headers
Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0
Connection:keep-alive
content-length:0
Content-type:text/html
Date:sun, Dec 2013 12:56:56 GMT
Expires:thu, Nov 1981 08:52:00 GMT
Keep-alive:timeout=5, max=100
Pragma:no-cache
server:apache/2.2.11 (WIN32) php/5.4.7
Set-cookie:phpsessid=r887k5n4scg32d4ba34huuhmq7; path=/
x-powered-by:php/5.4.7

3. When the client accesses the page of the website again, the browser will send the cookie to the service side, and the server can read the file of the session on the servers according to the value of the cookie, and get the message, such as:

Copy Code code as follows:
Request Headers
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-encoding:gzip,deflate,sdch
accept-language:zh-cn,zh;q=0.8
Cache-control:max-age=0
Connection:keep-alive
Cookie:phpsessid=r887k5n4scg32d4ba34huuhmq7
Host:s.local
user-agent:mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63

To achieve the purpose of saving session state. But also note, what happens if you get the session ID of User a login? According to the above logic, if the acquisition of the session ID in the process of a concurrent to the server, the server to read the file according to the session ID, found that the contents of the file to determine the user as a user, that is, access to a user's state, which may be able to do some sensitive operations Therefore, within the session lifetime, get to the sessions ID is to obtain the user's authorization, which is more dangerous, with a local management system as an example, through the chrome login to see the client cookies below the following figure:

If you get the session ID by some means, you can simulate sending an identical cookie in the past to achieve login. Firefox can add cookies, open Firebug cookies after the new cookie, and then refresh the page to login to the management system, as shown below:

Usually you can get cookies through JS, so you need to be aware of escaping to prevent the data from being performed when it is displayed. Next look at the session in CI. There are several parameters associated with the session configuration in the configuration file that affect the use of the session, which are:

The name of the session saved in the cookie
$config [' sess_cookie_name '] = ' ci_session ';
The effective time of session
$config [' sess_expiration '] = 7200;
Whether to close the browser session expiration
$config [' sess_expire_on_close '] = FALSE;
Whether the session is encrypted and stored in the cookie
$config [' sess_encrypt_cookie '] = FALSE;
Whether to save in the database
$config [' sess_use_database ']  = FALSE;
exists in the database, the database table name
$config [' sess_table_name '] = ' ci_sessions ';
Whether to match IP
$config [' sess_match_ip ']  = FALSE;
Whether to match useragent
$config [' sess_match_useragent '] = TRUE;
Update Time
$config [' sess_time_to_update '] = 300;

CI comes with a session without a server-side file store, all information is stored in the client cookie, when the call to $this->load->library (' sessions '); The contents of the cookie are as follows:

Array
(
[session_id] => f05138a9513e4928cb0a57672cfe3b53
[ip_address] => 127.0.0.1
[user_ Agent] => mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63 safari/537.36
[last_activity] => 1386569398
[User_data] =>
)

This information is transmitted to the server in the HTTP header when the client requests it, and the server reads the session information from the HTTP header. The same can be achieved session, but the way there are many uncertainties, according to the source say a few points bar:

1, if the log file appears: The session cookie data did not match what is expected. This is could be a possible hacking attempt. Describes two issues: A.sess_encrypt_cookie for false,session stored in cookies unencrypted B. The checksum fails after reading to the cookie. Involving encryption and decryption, parameter processing, it is easy to match the failure of the case, if not through the empty session.

2, if Sess_match_ip is true, when the client IP changes, session officers transferred Guevara not pass, thus emptying the session.

3, Sess_match_useragent defaults to True, when the client useragent changes, the checksum does not pass, empty sesion. Simple example, through IE browser access, if the switch to different IE mode, the agent is different, so the checksum does not pass, empty session.

As you can see, when any of the above situations occur, the session will be emptied, the login is unsuccessful or jump to the login page. If say not encrypt, do not check IP, useragent? Because cookies are stored on the client, you need to accompany the HTTP request to the server, one too many cookies will affect the speed, for some pictures and other resources to waste bandwidth completely, and the cookie can only store 4K of data, encryption processing can store smaller.

All sorts of uncertainties will create strange problems, avoid too much entanglement, and decisively switch to other ways.

More about the CodeIgniter framework interested readers can view the site topic: "CodeIgniter Introductory Course"

I hope this article will help you with the PHP program design based on CodeIgniter framework.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.