Native_session library was written for those who prefer to use native PHP session handling features over the original CI session implementation and require additional security.
Benefits over CI_Session
* hardened against session fixation by cookie id TTL (time to live) - regenerates cookie id automatically every given amount of time (right now configured inside the class) - see Note about making it setable.
* you can use all available PHP session storage drivers (database, memcache, etc.)
* “flash” session attributes (see: “Flash” attributes)
Benefits over PHPsession
* compatible with CI_Session
- the same way of use, just load the library, set_userdata(), userdata()
- easy to migrate existing apps to Native_session
- need docs - use the CI manual :)
* better security (automatic and manual session id regeneration)
PHPsession introduces concept of session namespace, which IMHO encourages you to use large number of the the session vars. I prefer to limit the use of sessions as much as possible (because of the potential scalability problems), so the Native_session won’t implement session namespaces.
Usage
* the same as the original CI session library - just load the library and access the session data via session->userdata() and session->set_userdata() methods
* allows to regenerate cookie id manually by calling session->regenerate_id()
Flash attributes
You can set the session attribute that will persist only for the next request. The usage is similar to the session->set_userdata($key, $value), userdata($key):
* set_flashdata($key, $value) - sets the flash attribute
* flashdata($key) - gets the value of the given flash attribute
* keep_flashdata($key) - make the given flash attribute valid for one more request
The implementation of flash attributes is based on the Native_session session implementation, which means it uses the PHP native session handling features.
The original concept:
* PHPsession
* Discussion thread
Variable Session Times
* Locate the _sess_run() function. Add this at the start of the function:
$session_id_ttl = $this->object->config->item('sess_expiration');
if (is_numeric($session_id_ttl))
{
if ($session_id_ttl > 0)
{
$this->session_id_ttl = $this->object->config->item('sess_expiration');
}
else
{
$this->session_id_ttl = (60*60*24*365*2);
}
}
* Remove the number set at the top of the class implementation:
var $session_id_ttl;
* Add
$this->object =& get_instance();
to the top of the Native_session() function
* It should now pick up the
$config['sess_expiration'] = 7200;
line in your config.php file.
- Added by HushPe
Files
Contents of system/application/libraries/native_session.php:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/**
* Code Igniter
*
* An open source application development framework for PHP 4.3.2 or newer
*
* @package CodeIgniter
* @author Dariusz Debowczyk
* @copyright Copyright (c) 2006, D.Debowczyk
* @license http://www.codeignitor.com/user_guide/license.html
* @link http://www.codeigniter.com
* @since Version 1.0
* @filesource
*/
// ------------------------------------------------------------------------
/**
* Session class using native PHP session features and hardened against session fixation.
*
* @package CodeIgniter
* @subpackage Libraries
* @category Sessions
* @author Dariusz Debowczyk
* @link http://www.codeigniter.com/user_guide/libraries/sessions.html
*/
class Native_session {
var $session_id_ttl = 360; // session id time to live (TTL) in seconds
var $flash_key = 'flash'; // prefix for "flash" variables (eg. flash:new:message)
function Native_session()
{
log_message('debug', "Native_session Class Initialized");
$this->_sess_run();
}
/**
* Regenerates session id
*/
function regenerate_id()
{
// copy old session data, including its id
$old_session_id = session_id();
$old_session_data = $_SESSION;
// regenerate session id and store it
session_regenerate_id();
$new_session_id = session_id();
// switch to the old session and destroy its storage
session_id($old_session_id);
session_destroy();
// switch back to the new session id and send the cookie
session_id($new_session_id);
session_start();
// restore the old session data into the new session
$_SESSION = $old_session_data;
// update the session creation time
$_SESSION['regenerated'] = time();
// session_write_close() patch based on this thread
// http://www.codeigniter.com/forums/viewthread/1624/
// there is a question mark ?? as to side affects
// end the current session and store session data.
session_write_close();
}
/**
* Destroys the session and erases session storage
*/
function destroy()
{
unset($_SESSION);
if ( isset( $_COOKIE[session_name()] ) )
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
}
/**
* Reads given session attribute value
*/
function userdata($item)
{
if($item == 'session_id'){ //added for backward-compatibility
return session_id();
}else{
return ( ! isset($_SESSION[$item])) ? false : $_SESSION[$item];
}
}
/**
* Sets session attributes to the given values
*/
function set_userdata($newdata = array(), $newval = '')
{
if (is_string($newdata))
{
$newdata = array($newdata => $newval);
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
$_SESSION[$key] = $val;
}
}
}
/**
* Erases given session attributes
*/
function unset_userdata($newdata = array())
{
if (is_string($newdata))
{
$newdata = array($newdata => '');
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
unset($_SESSION[$key]);
}
}
}
/**
* Starts up the session system for current request
*/
function _sess_run()
{
session_start();
// check if session id needs regeneration
if ( $this->_session_id_expired() )
{
// regenerate session id (session data stays the
// same, but old session storage is destroyed)
$this->regenerate_id();
}
// delete old flashdata (from last request)
$this->_flashdata_sweep();
// mark all new flashdata as old (data will be deleted before next request)
$this->_flashdata_mark();
}
/**
* Checks if session has expired
*/
function _session_id_expired()
{
if ( !isset( $_SESSION['regenerated'] ) )
{
$_SESSION['regenerated'] = time();
return false;
}
$expiry_time = time() - $this->session_id_ttl;
if ( $_SESSION['regenerated'] <= $expiry_time )
{
return true;
}
return false;
}
/**
* Sets "flash" data which will be available only in next request (then it will
* be deleted from session). You can use it to implement "Save succeeded" messages
* after redirect.
*/
function set_flashdata($key, $value)
{
$flash_key = $this->flash_key.':new:'.$key;
$this->set_userdata($flash_key, $value);
}
/**
* Keeps existing "flash" data available to next request.
*/
function keep_flashdata($key)
{
$old_flash_key = $this->flash_key.':old:'.$key;
$value = $this->userdata($old_flash_key);
$new_flash_key = $this->flash_key.':new:'.$key;
$this->set_userdata($new_flash_key, $value);
}
/**
* Returns "flash" data for the given key.
*/
function flashdata($key)
{
$flash_key = $this->flash_key.':old:'.$key;
return $this->userdata($flash_key);
}
/**
* PRIVATE: Internal method - marks "flash" session attributes as 'old'
*/
function _flashdata_mark()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':new:', $name);
if (is_array($parts) && count($parts) == 2)
{
$new_name = $this->flash_key.':old:'.$parts[1];
$this->set_userdata($new_name, $value);
$this->unset_userdata($name);
}
}
}
/**
* PRIVATE: Internal method - removes "flash" session marked as 'old'
*/
function _flashdata_sweep()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':old:', $name);
if (is_array($parts) && count($parts) == 2 && $parts[0] == $this->flash_key)
{
$this->unset_userdata($name);
}
}
}
}
?>
Contents of system/application/init/init_native_session.php:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/**
* Loads and instantiates native session class
*/
if ( ! class_exists('Native_session'))
{
require_once(APPPATH.'libraries/Native_session'.EXT);
}
// sessions engine should run on cookies to minimize opportunities
// of session fixation attack
ini_set('session.use_only_cookies', 1);
$obj =& get_instance();
$obj->session = new Native_session();
$obj->ci_is_loaded[] = 'session';
?>
Modifications for Version 1.5
CodeIgniter changes the way libraries are created and used in Version 1.5. To upgrade your Native_session library, do the following:
* Remove the init/init_native_session.php file. This file is no longer used by CodeIgniter.
* Rename the libraries/native_session.php file to libraries/Session.php
* Rename the Class in libraries/Session.php and Class Constructor to Session as follow:
// class Native_session { // USE THE LINE BELOW INSTEAD
class CI_Session {
var $session_id_ttl = 360; // session id time to live (TTL) in seconds
var $flash_key = 'flash'; // prefix for "flash" variables (eg. flash:new:message)
// function Native_session() // USE THE LINE BELOW INSTEAD
function CI_Session()
{
log_message('debug', "Native_session Class Initialized");
$this->_sess_run();
}
* In your application code, change your native session loading code as follows:
// $this->load->library('Native_session'); // USE THE LINE BELOW INSTEAD
$this->load->library('session');
Downloads
This it is a file already modified for version 1.5.1 of Code Igniter File:CI 1.5.1 with Session.zip