CodeIgniter sessions vs PHP sessions

Question

I'm relatively new to CodeIgniter and am making my first CI project in which there are user-accounts, etc. In the past, I have always used PHP's $_SESSION variable to this end. However, CI seems to have its own session mechanism, which it claims is "better"

CI's session mechanism seems to store all the data in a cookie? Personally I like the idea of all the data being stored on the server, accessed with a cookie-key like PHPs native session mechanism... Am I being dumb thinking that's better? Should I just accept CI's mechanism? Or should I go ahead and use native PHP sessions?

What do you guys do?

Thanks,
Mala

Answer 1

In my experience with CI I've encountered some anomalies with its sessions, but for most day-to-day needs the library is good and easy to work with. As it was pointed out, Flashdata is a very nice feature.

If you choose to stay with CI's sessions, I'd strongly suggest to store sessions in a database and, additionally, encrypt cookies:

$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database']   = TRUE;
$config['sess_table_name']     = 'sessions';

The database structure should be as follows:

CREATE TABLE IF NOT EXISTS  `sessions` (
    session_id varchar(40) DEFAULT '0' NOT NULL,
    ip_address varchar(16) DEFAULT '0' NOT NULL,
    user_agent varchar(50) NOT NULL,
    last_activity int(10) unsigned DEFAULT 0 NOT NULL,
    user_data text NOT NULL,
    PRIMARY KEY (session_id)
);

Answer 2

The manual says more flexibility rather than better ;-)

I presume the main benefit of CodeIgnite session class is that it integrates with the framework and it offers a few extra functionality, such as IP address tracking and what it calls flashdata (session data that's erased as soon as it's read). If you are using a framework in the first place that means these options may be attractive for you.

Whatever, you can also save session data into a database:

http://codeigniter.com/user_guide/libraries/sessions.html

Answer 3

Keep PHP session for important information and use CI session for less important info.

Read here wyh. http://codeigniter.com/forums/viewthread/130577/

Answer 4

I know this is an older post, but I feel it is worth sharing what I have found.

Since CI uses a cookie based approach ( even with database storage ) it causes a problem for my particular app which serves data to remote clients requesting data through curl. The bottom line is Cookies and Cross Site Scripting, although manageable, do not play well together.

I chose to try to override the native Session.php class provided by CI with my own MY_Session.php. I was happy to find this wasn't too difficult, but was surprised to find that CI was regenerating session id even though my script explicitly provided them.

According to the CI manual

The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes )

Although I can probably find a way to override this, I am wondering if it wouldn't be much easier to revert back to PHP sessions.

Just food for thought if you're going to use CI.

Answer 5

CI sessions has Storage size limitations

As you are aware , CI sessions are cookies basically, whether you encrypt it or not. As far as security is concerned both have its on pros and cons.

My concern was the size limit of CI sessions, It can hold only 4 kb data as its basically a cookie, while Native PHP session only stores reference id on cookie and all the session data is stored in server memory. This comes handy when you have a larger number of items need to be stored in a session.

Say a shopping cart with more items, or a user music playlist with more than 50 tracks... etc.

I hope this information helps someone some day.

Cheers..!!