CodeIgniter Configuration Session Usage example analysis, Session usage Example _php tutorial

CodeIgniter Configuration Session Usage example analysis, Session usage example

This example describes the session usage of CodeIgniter configuration. Share to everyone for your reference, as follows:

Just use CodeIgniter when the session was also confused, and then no longer use CI since the session, presumably still need to tidy up the session. To understand the session in CI, let's start with how the session in PHP works. Because the HTTP protocol itself is stateless, when retaining the access state information of a user, the client needs to have a unique identity to the server, the unique identifier is the session ID, stored in the client's cookie, and then the server to read the Stored User status information according to the identity, The purpose of saving session state is reached. Starting a session in PHP requires executing the following statement:
Copy the Code code as follows: Session_Start ();

1, the client each request will have some information in the HTTP header sent to the server, with the first user access as an example:
Copy the Code code as follows: Request Headers
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-encoding:gzip,deflate,sdch
accept-language:zh-cn,zh;q=0.8
Cache-control:max-age=0
Connection:keep-alive
Host:s.local
user-agent:mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63 safari/537.36

2, the service is received after the request processing and returned to the client, and in the HTTP response Add a cookie request, tell the browser to set a cookie,cookie named Phpsessid, A value of r887k5n4scg32d4ba34huuhmq7, such as:
Copy Code code is as follows: Response Headers
Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0
connection:keep-alive
content-length:0
Content-Type : text/html
Date:sun, Dec 12:56:56 GMT
Expires:thu, Nov 1981 08:52:00 GMT
Keep-alive:timeout=5, max=10 0
Pragma:no-cache
server:apache/2.2.11 (Win32) php/5.4.7
set-cookie:phpsessid= R887k5n4scg32d4ba34huuhmq7; path=/
x-powered-by:php/5.4.7

3. When the client accesses the page of the website again, the browser will send the cookie to the server, and the service will read the file that holds the session on the servers according to the value of the cookie, and get the session information, such as:
Copy the Code code as follows: Request Headers
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-encoding:gzip,deflate,sdch
accept-language:zh-cn,zh;q=0.8
Cache-control:max-age=0
Connection:keep-alive
Cookie:phpsessid=r887k5n4scg32d4ba34huuhmq7
Host:s.local
user-agent:mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63

To achieve the purpose of saving session state. But also note, what happens if I get the session ID of User a login? According to the above logic, if the acquired session ID is sent to the server during the request, the server reads the file according to the session ID and discovers the contents of the file, thus determining the user as a user, that is, obtaining the user status of a user, which may enable some sensitive operation. Therefore, within the session validity period, get the session ID to obtain the user's authorization, this is more dangerous, with a local management system for example, through Chrome login to view the client cookie such as:

If you get the session ID by some means, you can simulate sending an identical cookie in the past to enable login. In Firefox, you can add a cookie, open a new cookie in Firebug, and then log in to the management system by refreshing the page, such as:

It is usually possible to get a cookie through JS, so you need to be aware of escaping to prevent the data from being executed when it is displayed. Next look at the session in CI. In the configuration file, there are several parameters related to the session configuration, which affect the use of the session, which are:

Session saved in Cookie name $config[' sess_cookie_name ' = ' ci_session ';//session effective time $config[' sess_expiration '] = 7200;/ /whether to close the browser session fails $config[' sess_expire_on_close '] = false;//session Whether the encryption is stored in the cookie $config[' sess_encrypt_cookie ') = Whether false;//is saved in the database $config[' sess_use_database '  = false;//exists in the database, the database table name $config[' sess_table_name '] = ' ci_ Sessions ';//whether match ip$config[' sess_match_ip ')  = false;//matches useragent$config[' sess_match_useragent '] = true;// Update Time $config[' sess_time_to_update '] = 300;

CI comes with a session without server file storage, all the information is stored in the client cookie, when the call $this->load->library (' session '), when a conversation is started, a cookie is set, The contents of the cookie are as follows:

Array ([session_id] = f05138a9513e4928cb0a57672cfe3b53[ip_address] = 127.0.0.1[user_agent] = mozilla/5.0 ( Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63 safari/537.36[last_activity] = 1386569398[user_ Data] =)

This information is transmitted to the server in the HTTP header when the client requests it, and the server reads the session information from the HTTP header. The same can be achieved session, but there are a lot of uncertainties in this way, according to the source code to say a few things:

1. If the log file appears: The session cookie data did not match what is expected. This could is a possible hacking attempt. Description two issues: A.sess_encrypt_cookie for false,session unencrypted in Cookie B. After reading to the cookie, the checksum fails. Involved in the decryption, parameter processing, prone to match does not pass the case, if not passed, empty session.

2, if the SESS_MATCH_IP is true, when the client IP changes, the session officer does not pass, thereby emptying the session.

3, sess_match_useragent default is True, when the client useragent changes, the checksum does not pass, empty sesion. Simple example, through IE browser access, if switching to different IE mode, agent is different, so the check does not pass, empty session.

As you can see, when any of the above conditions occur, the session is emptied, the login is unsuccessful or the login page is redirected. If you say no encryption, do not verify IP, useragent it? Because cookies are stored on the client side, it is necessary to accompany the HTTP request to the server, one too many cookies can affect the speed, and for some pictures and other resources to waste bandwidth completely, and the cookie can only store 4K of data, encryption processing can be stored smaller.

All sorts of uncertainties will produce strange problems, avoid too much entanglement, and decisively switch to other ways.

For more information on CodeIgniter framework related content readers can view this site topic: "CodeIgniter Introductory Tutorial"

It is hoped that this article is helpful to the PHP program design based on CodeIgniter framework.

Articles you may be interested in:

• Example analysis of database.php usage of codeigniter configuration
• Example analysis of routes.php usage of codeigniter configuration
• Example analysis of config.php usage of codeigniter configuration
• Setting enhanced configuration class instance for CI (CodeIgniter)
• Using Smarty3 basic configuration in CodeIgniter
• CodeIgniter Framework method under Nginx configuration
• CI (codeigniter) Framework Configuration
• CodeIgniter Basic Configuration Detailed Introduction
• Parsing the CodeIgniter custom configuration file
• autoload.php Automatic load usage analysis of CodeIgniter configuration

http://www.bkjia.com/PHPjc/1093699.html www.bkjia.com true http://www.bkjia.com/PHPjc/1093699.html techarticle CodeIgniter Configuration Session Usage example analysis, Session Usage Example This paper describes the session usage of CodeIgniter configuration. Share to everyone for reference, as follows: just use ...

