Home/ Questions/Q 8655417
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T15:01:20+00:00

Why does the session Id need to be updated at all in CodeIgniter. I

  • 0

Why does the session Id need to be updated at all in CodeIgniter. I know you can control how often the session id is updated in the config. But why do they change the id of the session every 5 min (by default)?

Why can’t an session be created once and it use the same id till the session expires?

The function that updates the session is here:

/**
 * Update an existing session
 *
 * @access  public
 * @return  void
 */
function sess_update()
{
    // We only update the session every five minutes by default
    if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
    {
        return;
    }

    // Save the old session id so we know which record to
    // update in the database if we need it
    $old_sessid = $this->userdata['session_id'];
    $new_sessid = '';
    while (strlen($new_sessid) < 32)
    {
        $new_sessid .= mt_rand(0, mt_getrandmax());
    }

    // To make the session ID even more secure we'll combine it with the user's IP
    $new_sessid .= $this->CI->input->ip_address();

    // Turn it into a hash
    $new_sessid = md5(uniqid($new_sessid, TRUE));

    // Update the session data in the session data array
    $this->userdata['session_id'] = $new_sessid;
    $this->userdata['last_activity'] = $this->now;

    // _set_cookie() will handle this for us if we aren't using database sessions
    // by pushing all userdata to the cookie.
    $cookie_data = NULL;

    // Update the session ID and last_activity field in the DB if needed
    if ($this->sess_use_database === TRUE)
    {
        // set cookie explicitly to only have our session data
        $cookie_data = array();
        foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
        {
            $cookie_data[$val] = $this->userdata[$val];
        }

        $this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));
    }

    // Write the cookie
    $this->_set_cookie($cookie_data);
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is for security reasons to prevent spoofing. The session is encrypted and stored into your Cookies. Anyone can copy your Cookie and go to another PC and be logged in.

    Let’s say that the session doesn’t expires. This means that if I am to your PC and steal your cookie, I can login from anywhere as I have your session id encrypted in the Cookies. If the framework renew the session every 5 minutes, this is almost impossible to happen.

    If you don’t like the way that this works you can always create your own library for Sessions by extending the one from the core system of Codeigniter. Although this is not suggested.

    • 0