diff options
author | Derek Jones <derek.jones@ellislab.com> | 2010-08-31 04:31:08 +0200 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2010-08-31 04:31:08 +0200 |
commit | 5485db50775d4e2f76a593ef8b3425f6a1b90666 (patch) | |
tree | 1b934405afbdcd4501237b11959117006806784b | |
parent | 60f8c395f24ba6db80d510892bcc53ce5bf9f4eb (diff) |
Added fatal error to Session class when no encryption key is set in the config file, for additional assurance that session manipulation can be prevented
-rw-r--r-- | application/config/config.php | 4 | ||||
-rw-r--r-- | system/libraries/Session.php | 5 | ||||
-rw-r--r-- | user_guide/libraries/sessions.html | 3 |
3 files changed, 10 insertions, 2 deletions
diff --git a/application/config/config.php b/application/config/config.php index 6e52bcc17..c5eae8f5b 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -213,8 +213,8 @@ $config['cache_path'] = ''; | Encryption Key |-------------------------------------------------------------------------- | -| If you use the Encryption class or the Sessions class with encryption -| enabled you MUST set an encryption key. See the user guide for info. +| If you use the Encryption class or the Session class you +| MUST set an encryption key. See the user guide for info. | */ $config['encryption_key'] = ""; diff --git a/system/libraries/Session.php b/system/libraries/Session.php index cf6dc96e3..f413c0d1b 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -65,6 +65,11 @@ class CI_Session { $this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key); } + if ($this->encryption_key == '') + { + show_error('In order to use the Session class you are required to set an encryption key in your config file.'); + } + // Load the string helper so we can use the strip_slashes() function $this->CI->load->helper('string'); diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html index 9a2ca939c..7dc386fd4 100644 --- a/user_guide/libraries/sessions.html +++ b/user_guide/libraries/sessions.html @@ -68,6 +68,9 @@ use the database option you'll need to create the session table as indicated bel <p class="important"><strong>Note:</strong> The Session class does <strong>not</strong> utilize native PHP sessions. It generates its own session data, offering more flexibility for developers.</p> +<p class="important"><strong>Note:</strong> Even if you are not using encrypted sessions, you must set +an encryption key in your config file which is used to aid in preventing session data manipulation.</p> + <h2>Initializing a Session</h2> <p>Sessions will typically run globally with each page load, so the session class must either be |