system/libraries/Session.php
CIsession类的实现机制是使用了浏览器的Cookie,如果用户禁用了Cookie,那么Session将无法使用。网上也有说CISession莫名其妙丢失的问题,所以我就直接看看代码里是怎么处理,比无谓的猜测要有意义的多。
/** * Fetch the current session data if it exists * * @access public * @return bool */ function sess_read() { // Fetch the cookie $session = $this->CI->input->cookie($this->sess_cookie_name); //通过Cookie获取数据 // No cookie? Goodbye cruel world!... if ($session === FALSE) { log_message('debug', 'A session cookie was not found.'); return FALSE; } // Decrypt the cookie data if ($this->sess_encrypt_cookie == TRUE) { $session = $this->CI->encrypt->decode($session); } else {
//看这里,即使你在设置里没有使用加密,但是你必须要设一个加密秘钥,因为CI要保证从客户端Cookie获取的数据是可靠的。 // encryption was not used, so we need to check the md5 hash $hash = substr($session, strlen($session)-32); // get last 32 chars //得到Hash数值 $session = substr($session, 0, strlen($session)-32); //真正的Session内容 // Does the md5 hash match? This is to prevent manipulation of session data in userspace
//使用配置文件中给Session加密的秘钥和Session的内容,对Session进行MD5操作,并与上面得到的散列值做对比 if ($hash !== md5($session.$this->encryption_key)) { log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.'); $this->sess_destroy(); return FALSE; } } // Unserialize the session array $session = $this->_unserialize($session); // Is the session data we unserialized an array with the correct format? if ( ! is_array($session) OR ! isset($session['session_id']) OR ! isset($session['ip_address']) OR ! isset($session['user_agent']) OR ! isset($session['last_activity'])) { $this->sess_destroy(); return FALSE; } // Is the session current? if (($session['last_activity'] + $this->sess_expiration) < $this->now) { $this->sess_destroy(); return FALSE; } // Does the IP Match? IP地址匹配没什么好说的 if ($this->sess_match_ip == TRUE AND $session['ip_address'] != $this->CI->input->ip_address()) { $this->sess_destroy(); return FALSE; } // Does the User Agent Match? 浏览器 user_agent 匹配,这里有个细节要注意下,这里只匹配从客户端获取的120个字符的数据。 if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 120))) { $this->sess_destroy(); return FALSE; } // Is there a corresponding session in the DB? 如果你的CI Session配置了使用数据库,那么会到数据库查询该记录。 if ($this->sess_use_database === TRUE) { $this->CI->db->where('session_id', $session['session_id']); if ($this->sess_match_ip == TRUE) { $this->CI->db->where('ip_address', $session['ip_address']); } if ($this->sess_match_useragent == TRUE) { $this->CI->db->where('user_agent', $session['user_agent']); } $query = $this->CI->db->get($this->sess_table_name); // No result? Kill it! if ($query->num_rows() == 0) { $this->sess_destroy(); return FALSE; } // Is there custom data? If so, add it to the main session array $row = $query->row(); if (isset($row->user_data) AND $row->user_data != '') { $custom_data = $this->_unserialize($row->user_data); if (is_array($custom_data)) { foreach ($custom_data as $key => $val) { $session[$key] = $val; } } } } // Session is valid! $this->userdata = $session; unset($session); return TRUE; }