From 8a5cd93927691074af1428bcb8958fc3e6a17e00 Mon Sep 17 00:00:00 2001
From: Rick Ellis The Session class permits you maintain a user's "state" and track their activity while they browse your site.
The Session class stores session information for each user as serialized (and optionally encrypted) data in a cookie.
-It can also store the session data in a database table for added security, as this permits the session ID in the
+It can additionally store the session data in a database table for added security, as this permits the session ID in the
user's cookie to be matched against the stored session ID. By default only the cookie is saved. If you choose to
-use the database option you'll need to create the session table as indicated below.
+use the database option you'll need to create the session table as indicated below.
Note: The Session class does not utilize native PHP sessions. It
-generates its own session data, offering more flexibility for developers.
Sessions will typically run globally with each page load, so the session class must either be +
The Session routines must happen with each page load (and before anything is outputted to the browser), so the session class must either be initialized in your controller constructors, or it can be auto-loaded by the system. -For the most part the session class will run unattended in the background, so simply initializing the class -will cause it to read, create, and update sessions.
+Once initialized, the Session class will run unattended in the background, reading, writing, and updating the session as needed.To initialize the Session class manually in your controller constructor, use the $this->load->library function:
$this->load->library('session');
-Once loaded, the Sessions library object will be available using: $this->session
+ +You can access the Session library object using: $this->session
When a page is loaded, the session class will check to see if valid session data exists in the user's session cookie. +
When a page is loaded, the Session class will check to see if valid session data exists in the user's session cookie. If sessions data does not exist (or if it has expired) a new session will be created and saved in the cookie. -If a session does exist, its information will be updated and the cookie will be updated. With each update, the session_id will be regenerated.
+If a session does exist, its information and cookie will be updated automatically. With each update, the session_id will be regenerated for security.It's important for you to understand that once initialized, the Session class runs automatically. There is nothing you need to do to cause the above behavior to happen. You can, as you'll see below, work with session data or @@ -141,7 +141,7 @@ will do this:
A useful aspect of the session array is that you can add your own data to it and it will be stored in the user's cookie. +
A useful aspect of the session array is that you can add your own data to it and it will be stored in the session array. Why would you want to do this? Here's one example:
Let's say a particular user logs into your site. Once authenticated, @@ -162,10 +162,14 @@ having to run a database query when you need it.
);If you want to add userdata one value at a time, set_userdata() also supports this syntax.
$this->session->set_userdata('some_name', 'some_value');
Note: Cookies can only hold 4KB of data, so be careful not to exceed the capacity. The -encryption process in particular produces a longer data string than the original so keep careful track of how much data you are storing.
+ + +Note: By default, the session class stores your custom data in the session cookie. Cookies, however, can only hold +4KB of data, so it is easily possible to exceed the capacity, particularly if you use encryption, since it produces a longer data string than the original. +If you need to store a larger amount of data it is recommended that you store your session data in a database table. You'll find instructions for this below.
Just as set_userdata() can be used to add information into a session, unset_userdata() can be used to remove it, by passing the session key. For example, if you wanted to remove 'some_name' from your session information:
@@ -190,8 +194,12 @@ unless you store session data in a database there is no way to validate it. For security, session ID validation may not be needed, but if your application requires security, validation is mandatory.When session data is available in a database, every time a valid session is found in the user's cookie, a database -query is performed to match it. If the session ID does not match, the session is destroyed. Session IDs can never -be updated, they can only be generated when a new session is created.
+query is performed to match it. If the session ID does not match, the session is destroyed. + +An additional benefit of using a database is that it permits you to store custom data along with the session. Earlier in this page we described how to add +custom data to your session. When you use the database feature, your custom data will be stored automatically in the database instead of in +the user's cookie.
+In order to store sessions, you must first create a database table for this purpose. Here is the basic prototype (for MySQL) required by the session class:
@@ -202,12 +210,15 @@ session_id varchar(40) DEFAULT '0' NOT NULL, ip_address varchar(16) DEFAULT '0' NOT NULL, user_agent varchar(50) NOT NULL, last_activity int(10) unsigned DEFAULT 0 NOT NULL, +user_data text NOT NULL, PRIMARY KEY (session_id) ); -Note: By default the table is called ci_sessions, but you can name it anything you want -as long as you update the application/config/config.php file so that it contains the name you have chosen. -Once you have created your database table you can enable the database option in your config.php file as follows:
+Note: By default the table is named ci_sessions, but you can name it anything you want +as long as you update the application/config/config.php file so that it contains the name you have chosen. The Session class, however, +expects the column names to be identical to the ones indicated above.
+ +Once you have created your database table you can enable the database option in your config.php file as follows:
$config['sess_use_database'] = TRUE;
@@ -217,7 +228,7 @@ Once you have created your database table you can enable the database option in
$config['sess_table_name'] = 'ci_sessions";
-Note: The Session class has built-in garbage collection which clears out expired sessions so you +
Note: The Session class has a built-in garbage collection routine which clears out expired sessions periodically so you do not need to write your own routine to do it.
@@ -229,7 +240,21 @@ do not need to write your own routine to do it.You'll find the following Session related preferences in your application/config/config.php file:
+Normally you will set the Session preferences in your application/config/config.php file.
+ +If you prefer to set any of the preferences manually you can do so when you load the session class, by passing an array of values you +wish to set in the second parameter as follows:
+ +
+$session_vals = array(
+ 'sess_expiration' = 10800,
+ 'sess_match_ip' = TRUE
+ );
+
+$this->load->library('session', $session_vals);
+
+
+The following table lists the available preferences:
TRUE/FALSE (boolean) | Whether to match the User Agent when reading the session data. | +||
sess_cookie_name | +ci_session | +None | +The name of the session cookie | +