I wonder if using codeigniter session is safe.
Some earlier versions said no because the default configuration file was configured in a way that was unsafe.
In the current version (3.1.2), have this problem? Do I need to worry about using encription_key, for example?
Thank you.
Sessions are stored on the server. As long as the server is safe, sessions should be safe as well. CodeIgniter's session class is just a wrapper for PHP's native sessions.
Related
I am using Spring-MVC to build a website prototype. We have a MySQL database that we address using Hibernate.
Now, I want to add basic user session handling (user can login, do stuff on the site and logout). I thought it should be easy to do, but after a bit of research I feel a bit lost.
I have seen the spring-session project. It seems it depends on a redis server for storing session data. Is there a way I could use my existing Mysql/Hibernate setup for storing the session data?
Also, what is the most easiest way to do sesions in spring-mvc ?
Sessions will be maintained within the web/app servers like Tomcat, Weblogic etc., you need not to store session related stuff in any database.
Does anyone know if there's any way to get ColdFusion 10+ to store sessions in dynamoDB using the SDK?
http://docs.aws.amazon.com/AWSSdkDocsJava/latest//DeveloperGuide/java-dg-tomcat-session-manager.html
http://java.awsblog.com/post/Tx12CFK2FZ7PXRN/Amazon-DynamoDB-Session-Manager-for-Apache-Tomcat
AFAIK no, because Session scope can store any variables, whereas dynamoDB is a DB so variables have to be serialized first at least. However, if your new or existing app does not reference session directly and use an abstration layer like Coldbox's SessionStorage then you may still be able to do it, but I will then worry about the latency.
I've a large application working on and I am facing with hte problem of sessions a lot, it just unset or corrupt the session of my application sometime, all I got it undefined in my session.
By the way I need to know is there any alternative of sessions so I came to know after R&D that I may use cookie, but I think these things are same before .
So I am stuck, don't know how to get rid of my problem.
Now I've some questions as I am a beginner
what is the difference b/w sessions and cookie in sailsjs.
how to set and get cookie in sailsjs.
i am using sails version v0.94
Please guide me in this.
Session is a schemaless object that can be saved in memory or a persistent store such as Mongo or Redis. Using a memory store like Redis or Mongo helps to persist your sessions across multiple application servers or during an application restart.
The cookie tracks a user with a specific ID to associate with the session. Sailsjs, on top of Express, manages cookies and sessions automatically. When a user accesses your site it is assigned this cookie that has a unique ID. Then sails/express automatically will associate session information to that particular client based on their unique cookie. Sails does more than express by allowing you to use this with with sockets as well.
This is all done so you don't have to save and update session the same as a normal DB. You just set the property and move on.
The reason not use cookies is if you prefer to keep the information on the client and do not want to create overhead for your server to look for that value in memory or in a DB. You will want to make sure this information does not need to be secure.
To learn how to use cookies you should google "Expressjs Cookies" (remember sails runs on top of express, current version 3.x)
If you want an alternative to sessions / cookies you can look at web tokens http://jwt.io/
Remember sailsjs runs on expressjs if you can't find what your looking for, then always search for an express solution as well.
Our joomla site is using 1.7.3, and having performance issues when there are a number of users on line, as well as database corruption issues. The table being corrupted is the _session table.
I would like to try and turn off the session handling, and therefore set the session handler in Joomla Global Configuration to "None" from "database".
Can this cause other issues? What is the possible consequences of doing this?
Thanks,
ken
To answer your direct question - yes there will be lots of problems from turning session handling off especially in an areas of interactivity with users. Most things will break, such as:
Any /administrator functionality
Registering users
Forms
Polls
Front-end article editing etc
anything like JomSocial or similar products
The corruption in #_session is usually caused by failed writes to the DB because the host isn't keeping up with the load - if you are getting these problems during high load time you will have to consider a better hosting package/service.
More importantly the 1.7.x series is no longer supported, you should upgrade to 2.5.3 as it fixes a very nasty pair of exploits that leave all prior version vulnerable to hackers.
If you set the session handler to none Joomla will use the session handler that is build into PHP.
If PHP is installed and configured properly then setting the session handler to none shouldn't cause any issues.
When using a load balancing cluster that isn't session aware you would want to use the database option. So that all servers can access the session data from the database.
In all other cases you can use the none option, which should (theoretically) be faster because the sessions are on the local server and don't have the overhead of setting up a database connection. Additionally I believe PHP has the file cached in memory which would mean it can access the session list virtually instantaneous.
I am working on a gem that will need to read and write to not just to the current session, but to other "linked" sessions. Right now I am hard-coding reads and writes to the underlying session store we are using in our rails and rack apps whenever I need to update a session other than the current one. But, a more generic approach would be needed to make the solution portable to other session implementations.
In Rails apps I can look at Rails.application.config.session_store to determine the session storage implementation, and instantiate a new instance to read and write to sessions beyond the current session. Generating another instance of the session store seems a bit inefficient, but it does seem to work.
However, I can't figure out any way to query the current session store through a Rack app. env['rack.session'] and env['rack.session.options'] don't provide any insight.
The best solution would be to access the already-instantiated Rack::Session Rack app in the middleware stack. I'm not sure how to query what middleware is running and which one is the current Rack::Session implementation (just check which one is a decendent of Rack::Session::Abstract::ID?).
Any tips for querying the middleware or alternative suggestions would be greatly appreciated.
You can access the session in rack using request.cookies["rack.session"]. Rack < 1.0 used to allow you to actually pass session variables in through a request, but it has been disabled in newer versions of rack for security purposes. I know it's kind of late but hopefully this helps you.