Native session

Category:Libraries::Session

Native_session library was written for those who prefer to use native PHP session handling features over the original CI session implementation and require additional security.

[h3] Benefits over CI_Session [/h3]

• hardened against session fixation by cookie id TTL (time to live) - regenerates cookie id automatically every given amount of time (right now configured inside the class) - see Note about making it setable.
• you can use all available PHP session storage drivers (database, memcache, etc.)
• "flash" session attributes (see: "Flash" attributes)

[h3] Benefits over PHPsession [/h3]

• compatible with CI_Session
  • the same way of use, just load the library, set_userdata(), userdata()
  • easy to migrate existing apps to Native_session
  • need docs - use the CI manual :)
• better security (automatic and manual session id regeneration)

PHPsession introduces concept of session namespace, which IMHO encourages you to use large number of the the session vars. I prefer to limit the use of sessions as much as possible (because of the potential scalability problems), so the Native_session won't implement session namespaces.

[h3] Usage [/h3]

• the same as the original CI session library - just load the library and access the session data via session->userdata() and session->set_userdata() methods
• allows to regenerate cookie id manually by calling session->regenerate_id()

[h3] Flash attributes [/h3]

You can set the session attribute that will persist only for the next request. The usage is similar to the session->set_userdata($key, $value), userdata($key):

• set_flashdata($key, $value) - sets the flash attribute
• flashdata($key) - gets the value of the given flash attribute
• keep_flashdata($key) - make the given flash attribute valid for one more request

The implementation of flash attributes is based on the Native_session session implementation, which means it uses the PHP native session handling features.

The original concept:

• PHPsession
• [url=http://www.codeigniter.com/forums/viewthread/529/]Discussion thread[/url]

[h3]Variable Session Times[/h3]

• Locate the _sess_run() function. Add this at the start of the function: [code] $session_id_ttl = $this->object->config->item('sess_expiration');

    if (is_numeric($session_id_ttl))
    {
        if ($session_id_ttl > 0)
        {
            $this->session_id_ttl = $this->object->config->item('sess_expiration');
        }
        else
        {
            $this->session_id_ttl = (60*60*24*365*2);
        }
    }
  

[/code]

• Remove the number set at the top of the class implementation: [code]var $session_id_ttl;[/code]

• Add [code]$this->object =& get_instance();[/code] to the top of the Native_session() function

• It should now pick up the [code]$config['sess_expiration'] = 7200;[/code] line in your config.php file.

• Added by HushPe

[h3] Files [/h3]

Contents of system/application/libraries/native_session.php:

[code] <?php if (!defined('BASEPATH')) exit('No direct script access allowed'); /**

• Code Igniter
• An open source application development framework for PHP 4.3.2 or newer
• @package CodeIgniter
• @author Dariusz Debowczyk
• @copyright Copyright (c) 2006, D.Debowczyk
• @license http://www.codeignitor.com/user_guide/license.html
• @link http://www.codeigniter.com
• @since Version 1.0
• @filesource */

// ------------------------------------------------------------------------

/**

• Session class using native PHP session features and hardened against session fixation.

• @package CodeIgniter

• @subpackage Libraries

• @category Sessions

• @author Dariusz Debowczyk

• @link http://www.codeigniter.com/user_guide/libraries/sessions.html */ class Native_session { var $session_id_ttl = 360; // session id time to live (TTL) in seconds var $flash_key = 'flash'; // prefix for "flash" variables (eg. flash:new:message)

  function Native_session() { log_message('debug', "Native_session Class Initialized"); $this->_sess_run(); }

  /**

  • Regenerates session id */ function regenerate_id() { // copy old session data, including its id $old_session_id = session_id(); $old_session_data = $_SESSION;

    // regenerate session id and store it session_regenerate_id(); $new_session_id = session_id();

    // switch to the old session and destroy its storage session_id($old_session_id); session_destroy();

    // switch back to the new session id and send the cookie session_id($new_session_id); session_start();

    // restore the old session data into the new session $_SESSION = $old_session_data;

    // update the session creation time $_SESSION['regenerated'] = time();

    // session_write_close() patch based on this thread // http://www.codeigniter.com/forums/viewthread/1624/ // there is a question mark ?? as to side affects

    // end the current session and store session data. session_write_close(); }

  /**

  • Destroys the session and erases session storage */ function destroy() { unset($_SESSION); if ( isset( $_COOKIE[session_name()] ) ) { setcookie(session_name(), '', time()-42000, '/'); } session_destroy(); }

  /**

  • Reads given session attribute value */
    function userdata($item) { if($item == 'session_id'){ //added for backward-compatibility return session_id(); }else{ return ( ! isset($_SESSION[$item])) ? false : $_SESSION[$item]; } }

  /**

  • Sets session attributes to the given values */ function set_userdata($newdata = array(), $newval = '') { if (is_string($newdata)) { $newdata = array($newdata => $newval); }

    if (count($newdata) > 0) { foreach ($newdata as $key => $val) { $_SESSION[$key] = $val; } } }

  /**

  • Erases given session attributes */ function unset_userdata($newdata = array()) { if (is_string($newdata)) { $newdata = array($newdata => ''); }

    if (count($newdata) > 0) { foreach ($newdata as $key => $val) { unset($_SESSION[$key]); } }
    }

  /**

  • Starts up the session system for current request */ function _sess_run() { session_start();

    // check if session id needs regeneration if ( $this->_session_id_expired() ) { // regenerate session id (session data stays the // same, but old session storage is destroyed) $this->regenerate_id(); }

    // delete old flashdata (from last request) $this->_flashdata_sweep();

    // mark all new flashdata as old (data will be deleted before next request) $this->_flashdata_mark(); }

  /**

  • Checks if session has expired */ function _session_id_expired() { if ( !isset( $_SESSION['regenerated'] ) ) { $_SESSION['regenerated'] = time(); return false; }

    $expiry_time = time() - $this->session_id_ttl;

    if ( $_SESSION['regenerated'] <= $expiry_time ) { return true; }

    return false; }

  /**

  • Sets "flash" data which will be available only in next request (then it will
  • be deleted from session). You can use it to implement "Save succeeded" messages
  • after redirect. */ function set_flashdata($key, $value) { $flash_key = $this->flash_key.':new:'.$key; $this->set_userdata($flash_key, $value); }

  /**

  • Keeps existing "flash" data available to next request. */ function keep_flashdata($key) { $old_flash_key = $this->flash_key.':old:'.$key; $value = $this->userdata($old_flash_key);

    $new_flash_key = $this->flash_key.':new:'.$key; $this->set_userdata($new_flash_key, $value); }

  /**

  • Returns "flash" data for the given key. */ function flashdata($key) { $flash_key = $this->flash_key.':old:'.$key; return $this->userdata($flash_key); }

  /**

  • PRIVATE: Internal method - marks "flash" session attributes as 'old' */ function _flashdata_mark() { foreach ($_SESSION as $name => $value) { $parts = explode(':new:', $name); if (is_array($parts) && count($parts) == 2) { $new_name = $this->flash_key.':old:'.$parts[1]; $this->set_userdata($new_name, $value); $this->unset_userdata($name); } } }

  /**

  • PRIVATE: Internal method - removes "flash" session marked as 'old' */ function _flashdata_sweep() { foreach ($_SESSION as $name => $value) { $parts = explode(':old:', $name); if (is_array($parts) && count($parts) == 2 && $parts[0] == $this->flash_key) { $this->unset_userdata($name); } } } } ?> [/code]

Contents of system/application/init/init_native_session.php:

[code] <?php if (!defined('BASEPATH')) exit('No direct script access allowed');

/**

• Loads and instantiates native session class */

if ( ! class_exists('Native_session')) { require_once(APPPATH.'libraries/Native_session'.EXT); }

// sessions engine should run on cookies to minimize opportunities // of session fixation attack ini_set('session.use_only_cookies', 1);

$obj =& get_instance(); $obj->session = new Native_session(); $obj->ci_is_loaded[] = 'session';

?> [/code]

[h3]Modifications for Version 1.5 [/h3] CodeIgniter changes the way libraries are created and used in Version 1.5. To upgrade your Native_session library, do the following:

• Remove the init/init_native_session.php file. This file is no longer used by CodeIgniter.
• Rename the libraries/native_session.php file to libraries/Session.php
• Rename the Class in libraries/Session.php and Class Constructor to Session as follow: [code] // class Native_session { // USE THE LINE BELOW INSTEAD class CI_Session { var $session_id_ttl = 360; // session id time to live (TTL) in seconds var $flash_key = 'flash'; // prefix for "flash" variables (eg. flash:new:message)

// function Native_session() // USE THE LINE BELOW INSTEAD function CI_Session() { log_message('debug', "Native_session Class Initialized"); $this->_sess_run(); } [/code]

• In your application code, change your native session loading code as follows: [code] // $this->load->library('Native_session'); // USE THE LINE BELOW INSTEAD $this->load->library('session'); [/code]

[h3]Downloads[/h3]

This it is a file already modified for version 1.5.1 of Code Igniter File:CI_1.5.1_with_Session.zip