Do I need to manually activate the encryption of session variables in CodeIgniter?
I've read that using a database to store session variables is much safer than putting them in cookies.
If you use the CI session library and set it to store in a database instead of cookies, does it automatically encrypt the session ID variables?
Everyone is saying that it is best to use encryption when storing session variables in the database, but I'm not sure if there is another option you have to turn on, in order for the encryption to happen.
Also, where would you set the key, if you do need to activate the encryption step yourself? Is it part of the same encryption helper class?
No, CodeIgniter does not automatically encrypt session data when storing it whether it's in a DB such as MySQL or on the client side using cookies.
Setting $config['sess_encrypt_cookie'] = TRUE in system/application/config/config.php will activate encryption of cookies. If using $config['sess_use_database'] = TRUE, then the cookie itself (stored client-side) will be encrypted, but the actual session variables(stored on the DB) will not.
My guess is that this is because it's not as important to encrypt data stored in a server side DB as when storing using a cookie for the actual session variables, since the user cannot see or modify the session variables in the DB anyway.
The encryption key needs to be set using $config['encryption_key'] for encryption to work.