简体繁体 English

CodeIgniter会话

[英]CodeIgniter sessions

原文 2011-11-09 21:16:34 3 2 php/ codeigniter/ session

Why is it recommended to store CodeIgniter sessions in a database table? 为什么建议将CodeIgniter会话存储在数据库表中？ I know it's about security but how? 我知道这与安全性有关，但是如何？

why is it required to set an encryption key in the config when using the Session class? 使用Session类时，为什么需要在配置中设置加密密钥？ Are you supposed to decrypt the session? 您是否应该解密会话？

Does $this->session->sess_destroy(); 是否$this->session->sess_destroy(); delete the entire cookie or just the data you put in the cookie? 删除整个cookie还是只删除您放入cookie中的数据？ And does it end the session completely, by which I mean undoing $this->load->library('session') ? 并且它是否完全结束了会话，这意味着撤消$this->load->library('session') ？

2 个解决方案

CI's sessions are, actually, cookies. CI的会话实际上是cookie。 Encrypted, but cookies nonethelesss. 加密，但是仍然是cookie。 That's why is preferrable to store session in a database, because you're (supposedly) dealing with a less unreachable target from attacks, especially if you use Active Records wich automatically escapes your queries (so that SQL injections are avoided). 这就是为什么最好将会话存储在数据库中的原因，因为（据说）您正在处理攻击中无法到达的目标，尤其是如果您使用Active Record且会自动转义查询（从而避免了SQL注入）。 Also, contrary to cookies, DB doens't have such limited amount of memory available, so you can store any amount of data you want there, cache the operations, and have them hidden from the frontend. 而且，与cookie相反，DB的可用内存没有那么有限，因此您可以在其中存储任何数量的数据，缓存操作并将它们隐藏在前端。

I'm not sure about why it is required, apart from the fact that some sessions datas are automatically encrypted by CI. 除了某些会话数据由CI 自动加密之外，我不确定为什么要这样做。 So, even if you don't make use of the Encryption library, some encrypting is still caried one (while saving session ID, for example.). 因此，即使您不使用Encryption库，仍会进行某种加密（例如，在保存会话ID的同时）。 As Kai Qing correctly noted, you don't have to do any decryption on datas already handled by CI. 正如Kai Qing正确指出的那样，您不必对CI已处理的数据进行任何解密。

$this->session->sess_destroy() just deletes the data stored as sessions. $this->session->sess_destroy()只是删除存储为会话的数据。 While being also cookies, in order to delete the whole content you need to use the dedicated functions (look into the cookie helper, for example). 同时还是cookie，为了删除全部内容，您需要使用专用功能（例如，查看cookie帮助器）。 Keep in mind, though, that when you call this function you delete also flash messages (as they are sessions), so if you just want to unset some elements, use unset_userdata($item) . 但是请记住，当您调用此函数时，还会删除即显消息（因为它们是会话），因此，如果您只想取消设置某些元素，请使用unset_userdata($item) 。

It doesnt end the library loading, also. 它也不会结束库的加载。 As for any other library, or class, or controller, or whatever, everything is re-loaded from zero after each request. 至于任何其他库，类，控制器或任何其他类，在每次请求后，所有内容都会从零重新加载。 Each time you make a request the scripts runs, reinitializes everything, and when the script ends all is lost like tears in the rain. 每次您发出请求时，脚本都会运行，重新初始化所有内容，脚本结束时，所有内容都会像雨中的泪水一样丢失。 That's the regular lifespan of a php script. 那是php脚本的常规寿命。 If your script is not bound to end after you call the session->sess_destroy(), the session library will be still loaded, though the data will be erased. 如果您在调用session-> sess_destroy（）之后脚本未结束，则会话库仍将被加载，尽管数据将被删除。

To answer your first question - It is recommended to store via DB to minimize the data found in the session and reduce the risk of foolishness - like a helper. 要回答您的第一个问题-建议通过数据库进行存储，以最大程度地减少会话中找到的数据并减少愚蠢的风险-就像帮手一样。 Since DB stored sessions will only store the id in a cookie, the information available is reduced to an unusable bit of information. 由于数据库存储的会话将仅将ID存储在cookie中，因此可用信息减少为无法使用的信息位。

You don't need to decrypt anything. 您不需要解密任何东西。 The engine handles that for you. 引擎为您处理。

as for destroy - I don't know exactly. 至于销毁-我不清楚。 But I imagine a simple var_dump would answer that. 但是我想象一个简单的var_dump可以回答这个问题。