Native-session Modified for code igniter 2.1.4…Does this make sense?

Question

Does anyone see and problems with the modifications for CI 2.1.4? This class was written for 1.7.2 (Github link)

Questions:

1.What is the purpose of regenera

Answer 1

1.What is the purpose of regenerate_id? Is it session id rotation?

The use case is session fixation prevention. NativeSession regenerates the session ID every X seconds based on NativeSession::$session_id_ttl attribute value. It reduces impact of session hijacking as the "stolen" session ID is expired and regenerated using regerate_id() after configured time.

2.What is the potential problem with session_write_close (as indicated in comment)

In general, session_write_close() is used to get rid of session write lock as soon as all changes to session are done. That may cause multiframe apps load faster (as the session write access is permitted sooner).

You should not add line with session_write_close(), as it will prevent session flashdata mechanism from working correctly.

3.does this class fully implement session class for CI 2.1.4?

Not exactly, but it should be possible to use it as a drop-in replacement of CI_Session. I'm using NativeSession with CI2 for 2 production applications without any issues.

Check CI2 Github for CI_Session_native if you are looking for supported CI session handler that delivers similar functionality to NativeSession. I've reviewed the code and it looks like it's partially based on NativeSession. It also contains some security improvements.

4.Why is sess_expiration used instead of sess_time_to_update for expiration? (Session cookie expires when browser is closed. sess_time_to_update would seem like a better fit for session rotation.

You seem to refer to CI2 session mechanisms.

• sess_expiration in CI2 allows to set specific time (in seconds) before the session expires after user's last activity
• sess_time_to_update in CI2 allows to set time (in seconds) after user's last activity when the session ID is forced to be regenerated

NativeSession was developed before CI2 and it uses different params than CI Session.

• session_ttl is equivalent of sess_expiration in CI2 session handler
• session_id_ttl is ALMOST equivalent of sess_time_to_update in CI2 session handler (NativeSession does not care about last user's activity - just counts time since last session regeneration)

5.Are there any known bugs?

Nothing I'm aware of, although it may contain bugs of course.

6.If I run an application on a wildcard subdomian (site1.domain.com, site2.domain.com...etc, will the cookies only apply to that subdomain? My main concern is with setcookie(session_name(), '', time()-42000, '/');

From PHP docs: "Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'."

I was using this code with application that handles subdomains without any issues.