Issue Tracking Sessions

Hi,

Im using CI4 v4.2.12 and need to track changes to the session id made by CI regenerating the session ID, keeping the default refresh rate of 300 secs.
When my user logs in I add/update my unique user id and the session id to a table in my database.
I also use a filter to compare the current session id to the session id in the database each time a controller is called. If the two session id's do not match, I log the user out.
This is done for a number of reasons -

1. I can stop multiple logins by the same user,
   
2. I can offer meaningful logout messages to the user (Session Expired/Multiple Logins Detected),
   
3. I can easily logout one/all users if necessary.
   

Therefore, I need to know when CI regenerates the session and I need to know the which session has been regenerated and id of the regenerated session, so I can update the database table.
I have implemented Session DatabaseHandler, but each time CI updates the session, it just adds a new row reflecting the new session, so even from this I cannot identify which user is using which session.
Does CI provide a way to identify when a session has regenerated, which session has been regenerated and, what the regenerate value is??
I should also add, comparing the user IP address not an option for me, as a lot of my users are on the road and are constantly acquiring new IP address on their devices.

Thank you in advance.

Here https://github.com/codeigniter4/CodeIgni...n.php#L412

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

Hi Kenjis,
Many thanks for your reply and the snippet.
So essentially, I cannot track a session that has been regenerated?
I am also seeing I cannot logout a specific user (unless I interrogate every session for the user id), and I cannot check for multiple logins by the same user, unless their 2nd, 3rd, ... logins are from different IP's?
I'm therefore assuming I would not be able to do any of the above without changing CI core?
Again many thanks :-)

Yes, you need to customize the CI4 Session library.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

Thanks Kenjis,
Oh dear! I really do not want to touch CI core!!
Just one idea, (note I never use session id in  post/get) and this is where my knowledge is lacking!
If I set the $sessionTimeToUpdate equal to $sessionExpiration, this means session id will not regenerate for the lifetime of the users active session?
I create a database table "active_users" that stores my users unique user id (not login username) and their session id.
For every login, I check my active_user table for my users unique id:

• if present, delete that row and delete session by id.
  
• if not present, start new session and record session id and unique user id in table.
  

Additionall, create filter to match users current session id with "active_users" value, and, check if session data is empty, before every controller.
Therefore:

• If session data is empty (inform user session expired - delete appropriate "active_users" row and delete session by id - return to login view),
  
• If session does not exist on table (inform user alrready logged out - return to login view)
  
• If session id's do not match (inform user multiple logins - delete appropriate "active_users" row and delete session by id - return to login view)
  

If all of the above is implemented, I believe sessions could not be hijacked, as the hijacker would not have a user id, and if they did somehow manage to start a session, this would not match the filter parameters and they'd be automatically logged out.
Many thanks for your time.

If you want only one session for a user,
1. when a user is logged in, you save the (first) session id in a database table and the session data.
2. check the (first) session id in the session data and in the database table, and if they are not the same, make the user logout.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

Thank you so much.