diff options
author | Derek Jones <derek.jones@ellislab.com> | 2010-09-02 17:20:54 +0200 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2010-09-02 17:20:54 +0200 |
commit | 95e05a0d51c034523fab629357e5fc9c065ecd58 (patch) | |
tree | fd1d21db7bd238c7560100c89d5f15ab39b76372 | |
parent | d1606358ba51261150bc2f99bb9cb2b9117718e7 (diff) |
added a teeny bit stronger wording to encourage use of database for sessions where validation is necessary or undesirable actions could occur by a user manipulating their cookies
-rw-r--r-- | user_guide/libraries/sessions.html | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html index a8e3b3496..3bd170d60 100644 --- a/user_guide/libraries/sessions.html +++ b/user_guide/libraries/sessions.html @@ -190,12 +190,14 @@ $this->session->unset_userdata(<samp>$array_items</samp>);</code></p> <h2>Saving Session Data to a Database</h2> <p>While the session data array stored in the user's cookie contains a Session ID, unless you store session data in a database there is no way to validate it. For some applications that require little or no -security, session ID validation may not be needed, but if your application requires security, validation is mandatory.</p> +security, session ID validation may not be needed, but if your application requires security, validation is mandatory. Otherwise, an old session +could be restored by a user modifying their cookies.</p> <p>When session data is available in a database, every time a valid session is found in the user's cookie, a database query is performed to match it. If the session ID does not match, the session is destroyed. Session IDs can never be updated, they can only be generated when a new session is created.</p> + <p>In order to store sessions, you must first create a database table for this purpose. Here is the basic prototype (for MySQL) required by the session class:</p> |