3

I'm going to use Codeigniter's session data for my login system, but first I wanted to understand them, so I read the user guide, and from what I understand, Codeigniter's session data are just cookies.
Is this true? which means if the user disables cookies he wont be able to login to any website using Codeigniter's session data?
quoted:

The Session class stores session information for each user as serialized (and optionally encrypted) data in a cookie
So that means I should create my own native PHP session data to make users who disable cookies able to login my website? or Codeigniter's session data are not just cookies?

Abdulaziz
  • 2,201
  • 1
  • 21
  • 35

2 Answers2

5

Yes, the CodeIgniter's inbuilt session class does use cookies, however, even the standard Sessions in PHP need cookies.

Thus, no matter which route you go, CodeIgniter Session, or the standard Session, either ways if the user does not have cookies enabled, Sessions won't work.

The advantage of CodeIgniter's Session class is it automatically encrypts the data as well to prevent cookie tampering, plus allows you to authenticate the cookie against a database.

Ayush
  • 41,754
  • 51
  • 164
  • 239
  • Doesn't PHP fallback to appending the session ID to URLs if a user has cookies disabled? Maybe that has that been retired. – jedwards Jun 08 '12 at 04:49
  • It is possible to use use GET or POST, but it is a **huge** security hole. http://stackoverflow.com/questions/827910/passing-session-id-via-url – ksiimson Jun 08 '12 at 04:57
2

Sessions in CodeIgniter or any other application using HTTP protocol are best kept track of using cookies. Normally, the session data itself is not stored using cookies, but a key to access this data is, whether the actual session data is stored in server's filesystem or in a database.

PHP allows to set session ID through cookies, POST or GET, but it is preferable to always use cookie or you will be opening doors to session fixation using ini_set('session.use_only_cookies', true). Practically everybody do have cookies enabled.

ksiimson
  • 593
  • 3
  • 8
  • Unless I'm mistaken, in CodeIgniter, the entire session data is stored in the cookie, and there is no filesystem component to it. This is unlike standard Sessions where only the key is stored in the cookie, and the value resides on the filesystem. – Ayush Jun 08 '12 at 04:46
  • 1
    I checked CodeIgniter session library and yes, CodeIgniter does have an option to store session data using encrypted cookies. Personally I don't think it is a good approach and I would recommend to store sessions in a database unless you are really tight on storage. However, it does not make any difference as far as cookie-disabled browsers are concerned. – ksiimson Jun 08 '12 at 04:53