Native session

Native_session library was written for those who prefer to use native PHP session handling features over the original CI session implementation and require additional security.

[h3] Benefits over CI_Session [/h3]

hardened against session fixation by cookie id TTL (time to live) - regenerates cookie id automatically every given amount of time (right now configured inside the class)
you can use all available PHP session storage drivers (database, memcache, etc.)

[h3] Usage [/h3]

the same as the original CI session library - just load the library and access the session data via session->userdata() and session->set_userdata() methods
allows to regenerate cookie id manually by calling session->regenerate_id()

[h3] Files [/h3]

Contents of system/application/libraries/native_session.php:

[code] <?php if (!defined('BASEPATH')) exit('No direct script access allowed'); /**

Code Igniter
An open source application development framework for PHP 4.3.2 or newer
@package CodeIgniter
@author Dariusz Debowczyk
@copyright Copyright (c) 2006, D.Debowczyk
@license http://www.codeignitor.com/user_guide/license.html
@link http://www.codeigniter.com
@since Version 1.0
@filesource */

/**

Session class using native PHP session features and hardened against session fixation.
@package CodeIgniter
@subpackage Libraries
@category Sessions
@author Dariusz Debowczyk
@link http://www.codeigniter.com/user_guide/libraries/sessions.html */ class CI_Native_session { var $session_id_ttl = 360; // session id time to live (TTL) in seconds

function CI_Native_session() { log_message('debug', "Native_session Class Initialized"); $this->_sess_run(); }

/**
- Regenerates session id */ function regenerate_id() { // copy old session data, including its id $old_session_id = session_id(); $old_session_data = $_SESSION;
  
  // regenerate session id and store it session_regenerate_id(); $new_session_id = session_id();
  
  // switch to the old session and destroy its storage session_id($old_session_id); session_destroy();
  
  // switch back to the new session id and send the cookie session_id($new_session_id); session_start();
  
  // restore the old session data into the new session $_SESSION = $old_session_data;
  
  // update the session creation time $_SESSION['regenerated'] = time(); }
/**
- Destroys the session and erases session storage */ function destroy() { unset($_SESSION); if ( isset( $_COOKIE[session_name()] ) ) { setcookie(session_name(), '', time()-42000, '/'); } session_destroy(); }
/**
- Reads given session attribute value */
  function userdata($item) { return ( ! isset($_SESSION[$item])) ? FALSE : $_SESSION[$item]; }
/**
- Sets session attributes to the given values */ function set_userdata($newdata = array(), $newval = '') { if (is_string($newdata)) { $newdata = array($newdata => $newval); }
  
  if (count($newdata) > 0) { foreach ($newdata as $key => $val) { $_SESSION[$key] = $val; } } }
/**
- Erases given session attributes */ function unset_userdata($newdata = array()) { if (is_string($newdata)) { $newdata = array($newdata => ''); }
  
  if (count($newdata) > 0) { foreach ($newdata as $key => $val) { unset($_SESSION[$key]); } }
  }
/**
- Starts up the session system for current request */ function _sess_run() { session_start();
  
  //log_message('error', $_SERVER['REQUEST_URI'].' - session run - SID = '.session_id());
  
  // check if session id needs regeneration if ( $this->_session_id_expired() ) { //log_message('error', $_SERVER['REQUEST_URI'].' - session expired - SID = '.session_id());
```
  // regenerate session id (session data stays the
  // same, but old session storage is destroyed)
  $this->regenerate_id();
```
  } }
/**
- Checks if session has expired */ function _session_id_expired() { if ( !isset( $_SESSION['regenerated'] ) ) { $_SESSION['regenerated'] = time(); return false; }
  
  $expiry_time = time() - $this->session_id_ttl;
  
  if ( $_SESSION['regenerated'] <= $expiry_time ) { return true; }
  
  return false; }
  } [/code]

Contents of system/application/init/init_native_session.php:

[code] <?php if (!defined('BASEPATH')) exit('No direct script access allowed');

/**

Loads and instantiates native session class */

if ( ! class_exists('Native_session')) { require_once(APPPATH.'libraries/Native_session'.EXT); }

// sessions engine should run on cookies to minimize opportunities // of session fixation attack ini_set('session.use_only_cookies', 1);

$obj =& get_instance(); $obj->session = new Native_session(); $obj->ci_is_loaded[] = 'session';

?> [/code]

Category:Libraries

Native session

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!