更新时间:2022-10-29 17:17:45
在codigniter安装程序的application / config / config.php文件中,您可以选择加密cookie。
$ config ['sess_cookie_name'] ='ci_session';
$ config [’sess_expiration’] = 7200;
$ config [’sess_encrypt_cookie’] = TRUE; //从false设置为TRUE
一旦设置了set_userdata()和userdata()方法,透明地处理会话数据的加密和解密。
此页面底部的codigniter会话配置选项的完整列表:
http://codeigniter.com/user_guide/libraries/sessions.html
I'm just getting into learning about sessions, and for my purposes, I want to create something that upon every request from the client, the server authenticates that user, and only then performs data-handling for that user.
However, I have seen a lot of examples with CodeIgniter where the session is set up as thus:
$this->load->library('session');
$newdata = array(
'username' => 'johndoe',
'email' => 'johndoe@some-site.com',
'logged_in' => TRUE
);
$this->session->set_userdata($newdata);
However, couldn't someone just create a cookie on their computer with a common username and the 'logged_in' state to true, and suddenly you're authenticated without a password? This seems like a security flaw to me, but I see so many examples like this.
What is the proper way to authenticate the user on each request?
In the application/config/config.php file of your codigniter install you can choose to encrypt your cookies.
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_encrypt_cookie'] = TRUE; // set from false to TRUE
Once this is set the set_userdata() and userdata() methods will transparently handle encrypting and decrypting the session data.
A full list of codigniter session config options is at the bottom of this page: