I have some questions about the mechanism of session in code igniter framework:
1. isn't it exactly like working with a cookie? because what I have seen is that all the session data is send back as a cookie to the browser. so when another request is made then all the data is sent back with the cookie session.
2. the session data is sent back to the browser. even though it is encrypted, I can still identify all the session items, so isn't it easy to change the encrypted value of that item to an encrypt value, like changing an item called loged_in from false to true
3. when saving session data in a database, is the session data automatically deleted?
4. why is it written in code igniter documentation that "Session IDs can never be updated, they can only be generated when a new session is created". so when regenerating the session id in the cookie session how will we be able to compare it to the session id that is stored in the database?
The Session class does not utilize native PHP sessions. CI session library generates cookie when you initialize session in CodeIgniter. So actually sessions in CodeIgniter is a Cookie.
Setup Encryption Key on your config.php file and I'm sure that will resolve an issue you are having. Even CI session document says - "Even if you are not using encrypted sessions, you must set an encryption key in your config file which is used to aid in preventing session data manipulation."
I personally never tried DB Session but YES CI deletes expired sessions stored in DB. CI Documentation says - "The Session class has built-in garbage collection which clears out expired sessions", which explains pretty much about this question.
CI has taken care of this situation. When regenerating session id, CI replaces old session id stored in DB with new session id. If you can take a look in to Session library; check for sess_update() method for more details and you can see how CI is updating new session id in DB.
Related
I ned to set a session per every user, so when the user log ou from his account and login again in another account the old session will not be shown but the new that related to his new account will be shown
I am using the normal method in laravel to do it
Session::put('key', 'value');
But the problem as explained is that the session will br shown in all user using this computer
Session ids are supposed to be non-guessable. You're going to have to resolve (attempted) duplicates serverside. If you search through every existing session for a match then your not going to be able to scale this / its going to be very slow. That means you need an access path to the session data based on the username AS WELL AS the session id.
There are lots of solutions to this. I don't think any of them are exposed directly in Laravel.
You need to deal with maintaining the mapping directly in the session management - so you will need a custom session handler. The session handler deals with serialized data - so you need to think about how the username is resolved within the session handler. You could put it in the session and deserialize the data again the handler, or read the value from a global variable. Or you could write a prototytype of the session into a database with the sessionid as the primary key and the username as an indexed lookup before the session close handler is called.
Another approach would be to store the session as the username rather than using the session id. You still need to protect the username though and avoid session fixation, hence you would need to explicity generate the session id using a mechansim where only you can recover the username from it, e.g.
$data=array($username, openssl_random_pseudo_bytes(16));
$sessionid = encrypt(serialize($data), $your_secret_key);
(You still need to write your own session handler for this).
I'm using session in Laravel app which has login function.
Session is stored in DB.
My app session generates session Name "laravel_session".
Maybe, it is default Name.(I checked it in chrome debugger.)
I thought it can cause session fixation.
So, I use session->regenerate() after Login process.
However, it generate "laravel_session" again. Is it working?
I checked sessions table after session->regenerate() and I found column "id" is changed.
There's a huge difference between session_name() (which names the cookie) and session_id() (which should be a random, unpredictable value).
Your session name is public knowledge. It's the session ID that needs to be secret.
(Think of it as a key => value pair.)
Anyway, the point of session_regenerate_id(true); and the use_strict_mode configuration directive is to mitigate session fixation issues. You should always regenerate session IDs when the user changes their level of privilege (logging in, logging out, etc.).
Laravel already contains built-in protections against sesssion fixation, and a built-in function for you to do it yourself:
https://laravel.com/docs/5.6/session
Laravel automatically regenerates the session ID during authentication if you are using the built-in LoginController; however, if you need to manually regenerate the session ID, you may use the regenerate method.
$request->session()->regenerate();
Does it start a current session based on cookies? Got that from the PHP website. How does PHP control the session? If I start a session when a user opens up my login page, what do I even use that session for? Can I use the current session to get info about the logged in user?
The PHP session system lets you store securely data in the $_SESSION global array. A typical example is to store the user's identifier in the session when they type in their password:
if ($user = try_login($login, $password))
$_SESSION['user'] = $user;
Then, you can access that information on all other pages:
if (isset($_SESSION['user']))
// logged in !
echo user_name($_SESSION['user']);
The data is stored on the server, so there is no risk of tampering (on the other hand, mind your disk usage).
Starting the session lets the current request use $_SESSION. If this is the user's first visit, the array will be empty and a new session cookie will be sent for you.
Closing the session merely prevents the current request from using $_SESSION, but the data stays around for the next requests.
Destroying the session throws away all the data, forever. The sessions are destroyed a certain duration after the last visit (usually around 30 minutes).
I assume you want to know what a PHP session means for you, the programmer.
When you do session_start() you are telling PHP that you want to use the session. This is made available to you as an array called $_SESSION. You can use that like any other array with the difference that the stuff you put in there stays there from one page to another (provided you use session_start() at the beginning of each page).
The actual mechanism may vary depending on configuration (php.ini), but a typical installation can use cookies for the session. Let's assume that your webserver is on linux and you're using cookies. You do the following
session_start();
$_SESSION['name']='Bob';
When PHP sees this it creates a text file with a semi-random name (for example sess_a3tfkd5558kf5rlm44i538fj07), sticks the $_SESSION contents in there as plain text and then sends a cookie to the user with the session id, which can be used to find the session file (for example a3tfkd5558kf5rlm44i538fj07).
The next time the user comes back he hands in the session id in his cookie, PHP goes to the relevant file and loads its contents in $_SESSION.
You'll note that the actual information is kept on the server while the user is only given an id. Kinda like handing in your coat in a club and getting a ticket with a number on it.
PHP's session_start starts OR resumes an HTTP session, which is explained fairly well in this article:
http://en.wikipedia.org/wiki/Session_(computer_science)
The concept of an HTTP "session" isn't specific to PHP, it's used in many (all?) server side HTTP frameworks as one way to allow for some state to be stored/associated across different request/responses (since HTTP is stateless). A unique token (which is often, but not always, stored in a cookie) identifies a particular client, and the server can associate the "session."
Here's some more info about sessions and PHP in particular that may help: http://www.php.net/manual/en/book.session.php
Like it says in the Manual
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
If you start a new session at your login page, the session is initially empty. You can store in it whatever you want, for instance, store the user id once the user has logged in. The session data is destroyed when you close the session.
You might want to read all chapters in the Session Extension Manual Pages and also see
what is session and cookies in php and where it stored
You can compare PHP session with the cookie, but session is the much more secure way of storing information. Cookie store data on user's computer, but session store on the server in a temporary file securely.
I have discussed session and how to use it on one of my blog post - How to start a PHP session, store and accessing Session data?
Below is an example code of storing data in PHP session:
<?php
session_start();
$_SESSION["name"] = "John";
?>
Below is the example of retriving the session data:
<?php
session_start();
echo $_SESSION["name"];
?>
The above code will display the name "John".
Source: How to start a PHP session, store and accessing Session data?
So I was thinking about using CodeIgniter to build an application as to where my clients can register etc. However, I've been looking at the documentation about the sessions, and I was a little confused as to how the cookie data/session data is validated. Could somebody please clear this up for me? I will give my interpretation of how I think it works.
The user logs in -> Session is created and stored session id and email in cookie -> On each page load the cookie data is checked in the database to confirm users session id matches their user agent, ip and perhaps other things?
I'm sorry as to if that is horribly wrong, but I'm having a hard time understanding the logic with securing a session. Thank you for your help!
This is straight from Codeigniter manual:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
How do Sessions work?
When a page is loaded, the session class will check to see if valid session data exists in the user's session cookie. If sessions data does not exist (or if it has expired) a new session will be created and saved in the cookie. If a session does exist, its information will be updated and the cookie will be updated. With each update, the session_id will be regenerated.
It's important for you to understand that once initialized, the Session class runs automatically. There is nothing you need to do to cause the above behavior to happen. You can, as you'll see below, work with session data or even add your own data to a user's session, but the process of reading, writing, and updating a session is automatic.
I am using a existing php application which has different interfaces like admin, agent and customer.
I have created a new agent interface using codeignitor. FOr login into agent portal, I am using the existing agent login page from old application but after login is successful my new agent interface is supposed to be loaded.
In the old application, there are sessions used and the agent_id is stored in the session variable.
when I am trying to use this session variable in my new code, I get an error message ...variable can't be found. How can I use the session variable from my first application into my new interface?
when I print the session name in my first application and in one of new codeignitor code page,, I can see both the sessions are different. I think this is the problem because codeignitor manages its session.
I searched on the google and came to know about the sessions settings save path and all, I am not sure what exactly I need to do here to resolve this.
Remember both projects/applications should exist on the same server
By default codeignitor follows the COOKIE's as a session so you have to ovwerwrite that library with any of the PHP native session libraries.
Then pass the session_id to that project through CRUL or POST or URL in a two way encrypted format. Don't forget to encrypt the session id
From Project 1 :
//to get the session id
$id = session_id();
//do some custom encryption
$id = 'ajhkdhfasjdhfajsdfhkjadf';
**Ref:**
http://www.php.net/manual/en/function.mcrypt-encrypt.php
From Project 2:
Ref:
http://www.php.net/manual/en/function.mcrypt-decrypt.php
The initialize the session id before start the session like below
//do some custom encryption
$id = $this->input->get('id');
//decrypt the value
session_id($id);
session_start();
Now you can access the session values.
when I print the session name in my first application and in one of
new codeignitor code page,, I can see both the sessions are different.
I think this is the problem because codeignitor manages its session.
You are correct about CI handling its own sessions, the way around this issue is to use the native session library.
https://github.com/EllisLab/CodeIgniter/wiki/Native-session
The other way is to make CI use database sessions and just pass the session ID to your new application so you can select the correct data from the database.