Why does codeigniter store its sessiondata in a cookie?

Question

Why does Codeigniter do this? I mean isn\'t it very insecure if users can see which data is stored in their session? And and what if they change a value in the cookie?

Answer 1

Well, Codeigniter's out of the box interpretation of sessions is different to that of PHP sessions. You can still use PHP sessions if you want via the $_SESSION super global, but Codeigniter basically treats sessions as more convenient cookies. Although, you can make your sessions store in a database which is what I do and will prevent a user from changing session values.

If you want semi-secure session variables, use the in-built PHP ones if you don't want the hassle of making Codeigniter store session values in a database encrypted.

Everything is explained in the detailed documentation: http://codeigniter.com/user_guide/libraries/sessions.html

Answer 2

Storing session in Cookie is a worst practice, every browser has a size limit for cookie and cookie is a thing which get send every time with your request, though it is simple ajax request, this practice will only make your requests slow, I think while developing session library for Codeigniter they might hove thought, that user's will only store small amount of data in session, but its simply stupid idea to store a session in Cookie

Answer 3

Well, it's data about the user. If they want to change it... so what? I don't see how it's "insecure".

You can encrypt session data, or use databases for session data integrity verification.

The documentation is your friend; use it.

---

^{For what it's worth, it does seem daft that native PHP sessions aren't used. The documentation claims that this offers "more flexibility" to developers, but given the caveats listed on that page, I can't imagine how.}

Answer 4

check this out: https://bitbucket.org/xperez/core-session-storage-for-codeigniter

its a wrapper for ci_session interface with native php sessions and thus works also with memcached and not DB.

Cheers