system/libraries/Session.php

CIsession类的实现机制是使用了浏览器的Cookie，如果用户禁用了Cookie，那么Session将无法使用。网上也有说CISession莫名其妙丢失的问题，所以我就直接看看代码里是怎么处理，比无谓的猜测要有意义的多。

/**     * Fetch the current session data if it exists     *     * @access    public     * @return    bool     */    function sess_read()    {        // Fetch the cookie        $session = $this->CI->input->cookie($this->sess_cookie_name); //通过Cookie获取数据        // No cookie?  Goodbye cruel world!...         if ($session === FALSE)        {            log_message('debug', 'A session cookie was not found.');            return FALSE;        }        // Decrypt the cookie data        if ($this->sess_encrypt_cookie == TRUE)        {            $session = $this->CI->encrypt->decode($session);        }        else        {
    　　　　　　　//看这里，即使你在设置里没有使用加密，但是你必须要设一个加密秘钥，因为CI要保证从客户端Cookie获取的数据是可靠的。            // encryption was not used, so we need to check the md5 hash            $hash     = substr($session, strlen($session)-32); // get last 32 chars //得到Hash数值            $session = substr($session, 0, strlen($session)-32); //真正的Session内容            // Does the md5 hash match?  This is to prevent manipulation of session data in userspace 　　　　　　　//使用配置文件中给Session加密的秘钥和Session的内容，对Session进行MD5操作，并与上面得到的散列值做对比            if ($hash !==  md5($session.$this->encryption_key))            {                log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');                $this->sess_destroy();                return FALSE;            }        }        // Unserialize the session array        $session = $this->_unserialize($session);        // Is the session data we unserialized an array with the correct format?        if ( ! is_array($session) OR ! isset($session['session_id']) OR ! isset($session['ip_address']) OR ! isset($session['user_agent']) OR ! isset($session['last_activity']))        {            $this->sess_destroy();            return FALSE;        }        // Is the session current?        if (($session['last_activity'] + $this->sess_expiration) < $this->now)        {            $this->sess_destroy();            return FALSE;        }        // Does the IP Match? IP地址匹配没什么好说的        if ($this->sess_match_ip == TRUE AND $session['ip_address'] != $this->CI->input->ip_address())        {            $this->sess_destroy();            return FALSE;        }        // Does the User Agent Match? 浏览器 user_agent 匹配，这里有个细节要注意下，这里只匹配从客户端获取的120个字符的数据。        if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 120)))        {            $this->sess_destroy();            return FALSE;        }        // Is there a corresponding session in the DB? 如果你的CI Session配置了使用数据库，那么会到数据库查询该记录。        if ($this->sess_use_database === TRUE)        {            $this->CI->db->where('session_id', $session['session_id']);            if ($this->sess_match_ip == TRUE)            {                $this->CI->db->where('ip_address', $session['ip_address']);            }            if ($this->sess_match_useragent == TRUE)            {                $this->CI->db->where('user_agent', $session['user_agent']);            }            $query = $this->CI->db->get($this->sess_table_name);            // No result?  Kill it!            if ($query->num_rows() == 0)            {                $this->sess_destroy();                return FALSE;            }            // Is there custom data?  If so, add it to the main session array            $row = $query->row();            if (isset($row->user_data) AND $row->user_data != '')            {                $custom_data = $this->_unserialize($row->user_data);                if (is_array($custom_data))                {                    foreach ($custom_data as $key => $val)                    {                        $session[$key] = $val;                    }                }            }        }        // Session is valid!        $this->userdata = $session;        unset($session);        return TRUE;    }