Session of the CodeIgniter configuration

Just use CodeIgniter when the session was also confused, and then no longer use CI since the session, presumably still need to tidy up the session. To understand the session in CI, let's start with how the session in PHP works. Because the HTTP protocol itself is stateless, when retaining the access state information of a user, the client needs to have a unique identity to the server, the unique identifier is the session ID, stored in the client's cookie, and then the server to read the Stored User status information according to the identity, The purpose of saving session state is reached. Starting a session in PHP requires executing the following statement:

1	session_start();

1, the client each request will have some information in the HTTP header sent to the server, with the first user access as an example:

Request Headers
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-encoding:gzip,deflate,sdch
accept-language:zh-cn,zh;q=0.8
Cache-control:max-age=0
Connection:keep-alive
Host:s.local
user-agent:mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63 safari/537.36

2, the service side received the request processing and returned to the client, and in the HTTP response Add a cookie request, tell the browser to set a cookie,cookie named Phpsessid, The value is r887k5n4scg32d4ba34huuhmq7, such as:

Response Headers
Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0
Connection:keep-alive
content-length:0
Content-type:text/html
Date:sun, Dec 12:56:56 GMT
Expires:thu, 1981 08:52:00 GMT
Keep-alive:timeout=5, max=100
Pragma:no-cache
server:apache/2.2.11 (WIN32) php/5.4.7
Set-cookie:phpsessid=r887k5n4scg32d4ba34huuhmq7; path=/
x-powered-by:php/5.4.7

3. When the client accesses the page of the website again, the browser will send the cookie to the server, and the service will read the file that holds the session on the servers according to the value of the cookie, and get the session information, such as:

Request Headers
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-encoding:gzip,deflate,sdch
accept-language:zh-cn,zh;q=0.8
Cache-control:max-age=0
Connection:keep-alive
Cookie:phpsessid=r887k5n4scg32d4ba34huuhmq7
Host:s.local
user-agent:mozilla/5.0 (Windows NT 6.1) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63

To achieve the purpose of saving session state. But also note, what happens if I get the session ID of User a login? According to the above logic, if the acquired session ID is sent to the server during the request, the server reads the file according to the session ID and discovers the contents of the file, thus determining the user as a user, that is, obtaining the user status of a user, which may enable some sensitive operation. Therefore, within the session validity period, get the session ID to obtain the user's authorization, this is more dangerous, with a local management system for example, through Chrome login to view the client cookie such as:

If you get the session ID by some means, you can simulate sending an identical cookie in the past to enable login. In Firefox, you can add a cookie, open a new cookie in Firebug, and then log in to the management system by refreshing the page, such as:

It is usually possible to get a cookie through JS, so you need to be aware of escaping to prevent the data from being executed when it is displayed. Next look at the session in CI. In the configuration file, there are several parameters related to the session configuration, which affect the use of the session, which are:

123456789101112131415161718

//session保存在cookie中的名称$config[‘sess_cookie_name‘] = ‘ci_session‘;//session的有效时间$config[‘sess_expiration‘]  = 7200;//是否关闭浏览器session失效$config[‘sess_expire_on_close‘] = FALSE;//SESSION是否加密存放在COOKIE中$config[‘sess_encrypt_cookie‘]  = FALSE;//是否保存在数据库中$config[‘sess_use_database‘]    = FALSE;//存在数据库中，则数据库表名$config[‘sess_table_name‘]  = ‘ci_sessions‘;//是否匹配IP$config[‘sess_match_ip‘]    = FALSE;//是否匹配UserAgent$config[‘sess_match_useragent‘] = TRUE;//更新时间时间$config[‘sess_time_to_update‘]  = 300;

CI comes with a session without server file storage, all the information is stored in the client cookie, when the call $this->load->library (' session '), when a conversation is started, a cookie is set, The contents of the cookie are as follows:

Array
(
[session_id] = f05138a9513e4928cb0a57672cfe3b53
[IP_Address] = 127.0.0.1
[User_agent] = mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/31.0.1650.63 safari/537.36
[Last_activity] = 1386569398
[User_data] =
)

This information is transmitted to the server in the HTTP header when the client requests it, and the server reads the session information from the HTTP header. The same can be achieved session, but there are a lot of uncertainties in this way, according to the source code to say a few things:

1. If the log file appears: The session cookie data did not match what is expected. This could is a possible hacking attempt. Description two issues: A.sess_encrypt_cookie for false,session unencrypted in Cookie B. After reading to the cookie, the checksum fails. Involved in the decryption, parameter processing, prone to match does not pass the case, if not passed, empty session.

2, if the SESS_MATCH_IP is true, when the client IP changes, the session officer does not pass, thereby emptying the session.

3, sess_match_useragent default is True, when the client useragent changes, the checksum does not pass, empty sesion. Simple example, through IE browser access, if switching to different IE mode, agent is different, so the check does not pass, empty session.

As you can see, when any of the above conditions occur, the session is emptied, the login is unsuccessful or the login page is redirected. If you say no encryption, do not verify IP, useragent it? Because cookies are stored on the client side, it is necessary to accompany the HTTP request to the server, one too many cookies can affect the speed, and for some pictures and other resources to waste bandwidth completely, and the cookie can only store 4K of data, encryption processing can be stored smaller.

All sorts of uncertainties will produce strange problems, avoid too much entanglement, and decisively switch to other ways.

--eof--unless noted, blog articles are original, reproduced please link to the form of the address of this article address : http://pengbotao.cn/codeigniter-session.html

Session of the CodeIgniter configuration