I had posted a sessions question a while back and thank you for your answers, but I do have a few more.

What are the benefits of using CI sessions?  It appears to me that one benefit is more control of the life of each session.  Also, I do like not having to session_start on every page.

But the CI session info is stored in cookies / client side. 

Isn’t that more prone to errors and security issues? 

Plus, if cookies are disabled at the user’s browser, then what? I don’t believe browsers can disable PHP sessions, true?

I am sure there are benefits to CI’s version and perhaps I’m not experienced enough to see them.  Isn’t that why you’re here?

John

CI sessions store a limited amount of data in the cookie, which is only used in conjunction with information stored in the session database.  If you want to store sensitive data and have it associated with a logged-in user, store the sensitive information in the database.  That’s plenty secure, seeing as how a hacker would have to guess a large string that changes often.

PHP sessions cannot be disabled via the browser since they are a server-side resource, however PHP sessions have been known to have issues with older browsers (IE6 anyone?).

I won’t say more than that because honestly I don’t have enough experience with user authentication to try and say what’s good and what’s bad.  I do know, though, that the Ellis guys are pretty smart, and I’m sure they’d create something secure for you to use.

Search the forums/wiki and you’ll find plenty of code to make CI’s sessions more useful. As for the question of what happens when the user has cookies turned off, PHP native sessions store the session ID client-side in a cookie as well (falling back passing it in the URL) so basically you’ve got the same problem and security issues with either method.

Have you read the User Guide section on the session library? You’ll see that you can configure the cookie data to be encrypted as well as a couple other options to increase the security.

- K

Personally I would struggle to live without $this->session->flashdata

I stopped using the CI sessions except for the flashdata when I got a bug with the sess_destroy in 1.7.0. I built my own auth library using native sessions.