summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2010-08-31 04:31:08 +0200
committerDerek Jones <derek.jones@ellislab.com>2010-08-31 04:31:08 +0200
commit5485db50775d4e2f76a593ef8b3425f6a1b90666 (patch)
tree1b934405afbdcd4501237b11959117006806784b
parent60f8c395f24ba6db80d510892bcc53ce5bf9f4eb (diff)
Added fatal error to Session class when no encryption key is set in the config file, for additional assurance that session manipulation can be prevented
-rw-r--r--application/config/config.php4
-rw-r--r--system/libraries/Session.php5
-rw-r--r--user_guide/libraries/sessions.html3
3 files changed, 10 insertions, 2 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 6e52bcc17..c5eae8f5b 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -213,8 +213,8 @@ $config['cache_path'] = '';
| Encryption Key
|--------------------------------------------------------------------------
|
-| If you use the Encryption class or the Sessions class with encryption
-| enabled you MUST set an encryption key. See the user guide for info.
+| If you use the Encryption class or the Session class you
+| MUST set an encryption key. See the user guide for info.
|
*/
$config['encryption_key'] = "";
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index cf6dc96e3..f413c0d1b 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -65,6 +65,11 @@ class CI_Session {
$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
}
+ if ($this->encryption_key == '')
+ {
+ show_error('In order to use the Session class you are required to set an encryption key in your config file.');
+ }
+
// Load the string helper so we can use the strip_slashes() function
$this->CI->load->helper('string');
diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html
index 9a2ca939c..7dc386fd4 100644
--- a/user_guide/libraries/sessions.html
+++ b/user_guide/libraries/sessions.html
@@ -68,6 +68,9 @@ use the database option you'll need to create the session table as indicated bel
<p class="important"><strong>Note:</strong> The Session class does <strong>not</strong> utilize native PHP sessions. It
generates its own session data, offering more flexibility for developers.</p>
+<p class="important"><strong>Note:</strong> Even if you are not using encrypted sessions, you must set
+an encryption key in your config file which is used to aid in preventing session data manipulation.</p>
+
<h2>Initializing a Session</h2>
<p>Sessions will typically run globally with each page load, so the session class must either be