CI — system/libraries/Session.php

system/libraries/Session.php

CIsession類的實現機制是使用了瀏覽器的Cookie，如果使用者禁用了Cookie，那麼Session將無法使用。網上也有說CISession莫名其妙丟失的問題，所以我就直接看看代碼裡是怎麼處理，比無謂的猜測要有意義的多。

/**     * Fetch the current session data if it exists     *     * @access    public     * @return    bool     */    function sess_read()    {        // Fetch the cookie        $session = $this->CI->input->cookie($this->sess_cookie_name); //通過Cookie擷取資料        // No cookie?  Goodbye cruel world!...         if ($session === FALSE)        {            log_message('debug', 'A session cookie was not found.');            return FALSE;        }        // Decrypt the cookie data        if ($this->sess_encrypt_cookie == TRUE)        {            $session = $this->CI->encrypt->decode($session);        }        else        {
　　　　　　　//看這裡，即使你在設定裡沒有使用加密，但是你必須要設一個加密秘鑰，因為CI要保證從用戶端Cookie擷取的資料是可靠的。            // encryption was not used, so we need to check the md5 hash            $hash     = substr($session, strlen($session)-32); // get last 32 chars //得到Hash數值            $session = substr($session, 0, strlen($session)-32); //真正的Session內容            // Does the md5 hash match?  This is to prevent manipulation of session data in userspace
　　　　　　　//使用設定檔中給Session加密的秘鑰和Session的內容，對Session進行MD5操作，並與上面得到的散列值做對比            if ($hash !==  md5($session.$this->encryption_key))            {                log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');                $this->sess_destroy();                return FALSE;            }        }        // Unserialize the session array        $session = $this->_unserialize($session);        // Is the session data we unserialized an array with the correct format?        if ( ! is_array($session) OR ! isset($session['session_id']) OR ! isset($session['ip_address']) OR ! isset($session['user_agent']) OR ! isset($session['last_activity']))        {            $this->sess_destroy();            return FALSE;        }        // Is the session current?        if (($session['last_activity'] + $this->sess_expiration) < $this->now)        {            $this->sess_destroy();            return FALSE;        }        // Does the IP Match? IP地址匹配沒什麼好說的        if ($this->sess_match_ip == TRUE AND $session['ip_address'] != $this->CI->input->ip_address())        {            $this->sess_destroy();            return FALSE;        }        // Does the User Agent Match? 瀏覽器 user_agent 匹配，這裡有個細節要注意下，這裡只匹配從用戶端擷取的120個字元的資料。        if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 120)))        {            $this->sess_destroy();            return FALSE;        }        // Is there a corresponding session in the DB? 如果你的CI Session配置了使用資料庫，那麼會到資料庫查詢該記錄。        if ($this->sess_use_database === TRUE)        {            $this->CI->db->where('session_id', $session['session_id']);            if ($this->sess_match_ip == TRUE)            {                $this->CI->db->where('ip_address', $session['ip_address']);            }            if ($this->sess_match_useragent == TRUE)            {                $this->CI->db->where('user_agent', $session['user_agent']);            }            $query = $this->CI->db->get($this->sess_table_name);            // No result?  Kill it!            if ($query->num_rows() == 0)            {                $this->sess_destroy();                return FALSE;            }            // Is there custom data?  If so, add it to the main session array            $row = $query->row();            if (isset($row->user_data) AND $row->user_data != '')            {                $custom_data = $this->_unserialize($row->user_data);                if (is_array($custom_data))                {                    foreach ($custom_data as $key => $val)                    {                        $session[$key] = $val;                    }                }            }        }        // Session is valid!        $this->userdata = $session;        unset($session);        return TRUE;    }