Working Around CodeIgniters Default Session Library

Recently I was attempting to test a web application using BrowserCam. BrowserCam has a bank of virtual machines on different versions of many platforms including Apple OSX, Linux Fedora, and Windows. While attempting to regression test in older versions of IE I noticed I absolutely could not log in to my application. This only occured on BrowserCam. After testing other CI based sites over BrowserCam I eventually narrowed it down to CodeIgniters session library. The session library that ships with CI does not use the native PHP session based files. It instead stores everything in an encrypted cookie. I think this is bad for two reasons: One, it goes against a PHP developers conventional wisdom of how sessions are handled and two, cookies have a storage limitation.

After poking around for some solutions I determined everything out there would cause me to have to change a lot of code. I needed a drop in replacement that would cause me minimal changes. I wrote the following library called Trusession. You simply drop it into your application/libraries folder and do some simple find and replaces. Trusession has most of the same method names, parameters, and return values as CodeIgniters native session library so your application should start working again out of the box except it will now be using PHPs file based sessions. There are a few of the public methods that I did not implement, calling these will result in an exception telling you that it has not been implemented and will give you a stack trace. These can easily be implemented by reverse engineering the CI Session library.

Your find and replace should do the following with in your application directory:

Find “->session” and replace with “->trusession”

Find “->(‘session’)” and replace with “->(‘trusession’)”

You may also need to update your autoload configuration file if you’re autoloading CIs session library. This is obviously not an ideal solution, but short of CodeIgniter giving you the option to use file based sessions I feel this is the least intrusive. Luckily there is some chatter going on about fixing this. What CodeIgniter should do is give you the option in the config file to use cookies (its default), a database, or files for session storage.


4 Comments

  • Robert says:

    Here, try this instead, this is a drop-in replacement for CI 2.0

    https://gist.github.com/1360305

    I borrowed it from somewhere, but now i forget where. Anyways, this tosses out the whole cookie approach and sticks to the tried & true session handler in php.

  • Erik says:

    The find and replace is a bit overkill — you can simply drop a file in your libraries folder and name it MY_Session.php. Now override whatever methods you want to (or all of the methods) and now you can use your new session library without changing a line of code in the rest of your applications (assuming you implement the same methods with the same parameters)

  • Erik says:

    sorry to have to make another comment but can’t edit :)

    1) Your session is always started in your constructor. Why are you starting it (with error supression) in all your methods?
    2) If you use CI’s ability to store session data in the database you no longer have the limitation of how much data a cookie can store.

  • chris says:

    Robert – thanks I may end up using your code instead.

    Erik – Yes I may have some refactoring to do. I don’t like storing session data in the database unless I need to. I like PHPs file-based sessions just fine.