+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=22)
+--- Thread: DB2 Session (/showthread.php?tid=7278)
DB2 Session - El Forum - 05-23-2008
[eluser]bapobap[/eluser]
Great, thanks for this!
One question, I know you have explained the benefits of the session hijacking protection, but it destroys a feature of my application, where someone who isn't logged in, or even a member, can make a contribution (which is saved to the DB based on session id) and then can log in, where my app will properly associate the records accordingly.
I can't think of any way around this, other than to switch this protection off. Security aside, is there anyway to switch the protection off?
Thanks!
EDIT: I've got this, could someone run their eye over it to see if I'm doing something stupid?
Code:
function sess_update()
{
// Save the old session id so we know which record to
// update in the database if we need it
// $old_sessid = $this->userdata['session_id'];
// $new_sessid = '';
// while (strlen($new_sessid) < 32)
// {
// $new_sessid .= mt_rand(0, mt_getrandmax());
// }
// $new_sessid = md5(uniqid($new_sessid, TRUE));
// Update the session data in the session data array
// $this->userdata['session_id'] = $new_sessid;
// $this->userdata['last_activity'] = $this->now;
// format query array to update database
$ud = $this->userdata;
$sql_ary = array(
'last_activity' => $ud['last_activity']);
// unset($ud['session_id'], $ud['last_activity'], $ud['user_agent'], $ud['ip_address']);
$sql_ary['session_data'] = serialize($ud);
$this->CI->db->query($this->CI->db->update_string($this->session_table, $sql_ary, array()));
// Write the cookie
$this->sess_write();
}DB2 Session - El Forum - 05-24-2008
[eluser]bapobap[/eluser]
Nope, messes up sessions, at least testing on two different devices.
DB2 Session - El Forum - 06-02-2008
[eluser]FlashUK[/eluser]
[quote author="bapobap" date="1211598915"]Great, thanks for this!
One question, I know you have explained the benefits of the session hijacking protection, but it destroys a feature of my application, where someone who isn't logged in, or even a member, can make a contribution (which is saved to the DB based on session id) and then can log in, where my app will properly associate the records accordingly.
I can't think of any way around this, other than to switch this protection off. Security aside, is there anyway to switch the protection off?
Thanks!
EDIT: I've got this, could someone run their eye over it to see if I'm doing something stupid?
Code:
function sess_update()
{
// Save the old session id so we know which record to
// update in the database if we need it
// $old_sessid = $this->userdata['session_id'];
// $new_sessid = '';
// while (strlen($new_sessid) < 32)
// {
// $new_sessid .= mt_rand(0, mt_getrandmax());
// }
// $new_sessid = md5(uniqid($new_sessid, TRUE));
// Update the session data in the session data array
// $this->userdata['session_id'] = $new_sessid;
// $this->userdata['last_activity'] = $this->now;
// format query array to update database
$ud = $this->userdata;
$sql_ary = array(
'last_activity' => $ud['last_activity']);
// unset($ud['session_id'], $ud['last_activity'], $ud['user_agent'], $ud['ip_address']);
$sql_ary['session_data'] = serialize($ud);
$this->CI->db->query($this->CI->db->update_string($this->session_table, $sql_ary, array()));
// Write the cookie
$this->sess_write();
}My suggestion would be rather than trying to change the way the sessions work, it would be better to rethink how your application tracks your user. It would be better if you automatically stored a random key into the users "userdata" instead. That way it won't change when the users session_id is updated.
Code:
$this->session->set_userdata('user_key', mt_rand());Also I had a look through your code and you are missing the string to store the userdata back into the database.
If you just want to stop the code from regenerating a new id, then use this code instead: (not tested but I am fairly certain this is correct)
Code:
/**
* Update an existing session
*
* @access public
* @return void
*/
function sess_update()
{
// Save the old session id so we know which record to
// update in the database if we need it
$old_sessid = $this->userdata['session_id'];
//$new_sessid = '';
//while (strlen($new_sessid) < 32)
//{
// $new_sessid .= mt_rand(0, mt_getrandmax());
//}
//$new_sessid = md5(uniqid($new_sessid, TRUE));
// Update the session data in the session data array
$this->userdata['last_activity'] = $this->now;
// format query array to update database
$ud = $this->userdata;
$sql_ary = array(
'last_activity' => $ud['last_activity']);
unset($ud['session_id'], $ud['last_activity'], $ud['user_agent'], $ud['ip_address']);
$sql_ary['session_data'] = serialize($ud);
$this->CI->db->query($this->CI->db->update_string($this->session_table, $sql_ary, array('session_id' => $old_sessid)));
// Write the cookie
$this->sess_write();
}Sorry for the late reply. I hadn't had the time to look at this properly until now.
[quote author="bapobap" date="1211696587"]Nope, messes up sessions, at least testing on two different devices.[/quote]
What kind of problems are you having? What devices have you tested on? Regardless of the device, if the cookie is working properly then all the devices should be okay.
DB2 Session - El Forum - 06-05-2008
[eluser]jbads[/eluser]
Please help, Ive tried installing the DB2_Session
which is in DB2_Sessions.php in my library.
I followed the instructions from the original DB_sessions.
When I load my index page on my XAMPP installation I am getting
Quote:Message: Cannot modify header information - headers already sent by (output started at C:\Program Files\xampp\htdocs\crepress\system\application\libraries\DB2_Session.php:621)
Filename: libraries/DB2_Session.php
I notice that it is inserting data into my sessions table in my database.
What have I missed along the way?
DB2 Session - El Forum - 06-05-2008
[eluser]FlashUK[/eluser]
hmm, interesting error. I shall take a look at the file when I have a chance to see if I can figure out what the problem is.
DB2 Session - El Forum - 06-05-2008
[eluser]jbads[/eluser]
Cool, I've gone right back from the start and have the original db session library working by changing the class and constructor name to session from DB_Session. I realised I was missing the userdata table in my database.
So db_session class and constructor works when renamed to session but db2_session doesn't.
Dunno if any of this info will help you figure it out.
Thanks, Jake
DB2 Session - El Forum - 06-11-2008
[eluser]FlashUK[/eluser]
[quote author="jbads" date="1212733237"]Cool, I've gone right back from the start and have the original db session library working by changing the class and constructor name to session from DB_Session. I realised I was missing the userdata table in my database.
So db_session class and constructor works when renamed to session but db2_session doesn't.
Dunno if any of this info will help you figure it out.
Thanks, Jake[/quote]
I don't quite understand what may be causing this. DB2_Session is pretty much EXACTLY the same as DB_Session except for a couple of function changes (no messing with database interaction). I have used DB2_Session as "Session" before and didn't get these problems.
Can you give me some example code of you index.php so I can trouble shoot it please?
DB2 Session - El Forum - 06-11-2008
[eluser]Lone[/eluser]
With the above problem check for any whitespace after the last '?>' in the library file.
Having problems with $this->session->sess_destroy() not actually removing session information. Im not too certain why it is persisting - any ideas?
DB2 Session - El Forum - 06-19-2008
[eluser]gtipete[/eluser]
should sess_destroy() be removing the session information from the database too?
DB2 Session - El Forum - 06-24-2008
[eluser]Jackson.Gabbard[/eluser]
I experienced the same errors about header modification as above and found whitespace to be the culprit. I am however having a lot more trouble with the DB2_Session class in terms of properly finding calling up the session ID. For each page load, I'm finding that 25 session entries get added to the ci_session table, some of which will have session data, but the majority of which are empty of it. I can only assume that means that I'm accessing session data, the session ID is not getting validated and a new session is being generated.
I experienced the same issue with the previous version of this library and am doing some work to resolve the problem. From what I've found thus far it seems to be in the way the cookie is getting serialized on write but not deserialized on read--I'll post back when I sort it out further.