0

if I switch on "save session data in database", all the session data is saved in both, the cookie and in the db. while this improves security (i also have all the data encrypted), i want to save very sensitive session data such as "is_logged_in", "session->set_userdata("is_logged_in", "1");", in the DB only.

How can this be achieved? Thanks.

Improve this question
5
  • 1
    afaik, session data is not saved in cookie. only a session id is saved in cookie. Commented Sep 3, 2013 at 16:20
  • +1 Codeigniter Session - Access Userdata value for all users from DB Commented Sep 3, 2013 at 16:22
  • No, in the cookie. @Prasanth. If have switched cookie encryption off. The cookie content: "a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22e00777979f9c821381910d4196361ea7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A74%3A%22Mozilla%2F5.0+%28X11%3B+Ubuntu%3B+Linux+i686%3B+rv%3A20.0%29+Gecko%2F20100101+Firefox%2F20.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1378225370%3B%7D8c29441764063fb6f8c4f789ce9909fa" That's the same as is in the DB Commented Sep 3, 2013 at 16:24
  • @Rameez: What do you want to tell my with that link? Commented Sep 3, 2013 at 16:31
  • @usario i was read your un-edited question so i've understand that you need to get session from db... but i won't see your updated question it i was got notification of update question... Commented Sep 3, 2013 at 17:30

1 Answer 1

Reset to default
1

Using CodeIgniter sessions with database is going to be very secure.

What happens with the CodeIgniter session is that the server stores the cookie, and every time the user does an action that would change the content of the cookie, it is first compared to the previous cookie.

There are other protections of the session data: refresh timeout (by default every 300 seconds), it checks if the IP changed, and if the browser changed.

In other words, in the worst case scenario, the only way to spoof the session data is by having the same version of the browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and getting this done within 5 minutes.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Does that mean I simply misunderstood something and CI does in fact store data saved with session->set_userdata() in the database only?
If you config session to store only on DB, session is very secure.
How do I configure the expire date for the session cookie?
If u understand good, you are talking about expire time. You can config on config/config.php, at $config['sess_expiration'] = 7200;. 7200 are default. It is seconds of two hours.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.