CodeIgniter Forums

Full Version: Yet Another Session Issue
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

El Forum

[eluser]tmcintosh[/eluser]
Hi there,

I'm fairly new to CodeIgniter and recently inherited a site that was partially completed in CI. It works for the most part, but there is one annoying issue that I can't seem to crack. Logged in users are getting randomly logged out.

I've googled for solutions as well as looked through the forums, and there seems to be a history of problems with sessions in general.

Originally the site was using Darius D.'s Native Session library file. I've now replaced that with the Session Hybrid library and enabled database support for the session data. That was helpful because it allowed me to see more of what was happening. It seems that multiple session id's are being generated (I've only seen 2 at a time so far). When a user logs in, the custom user data is associated with one of the session id's.

After some browsing of the site, the site get's "confused" and loads the page with the other session id that does not have the "logged in" user data associated with it. This makes the site appear as though the user is logged out. However, clicking to another page loads the site with right session id and the user now appears to be logged in.

The challenges with debugging this issue is that I can't recreate the scenario on my local machine, only on the remote server, which is a shared hosting server and I don't have access to the php.ini file or any other higher level server configs.

The big question is: Why is the site receiving 2 session id's at once, and how do I prevent that from happening?

I've wasted about 3 days worth of time on this problem and would appreciate some more experience assistance.


Specs:

• Code Igniter Version 1.7.3
• PHP 5.4.3
• Session Hybrid library used
• Database session support used
• Site is requesting and getting more than 1 concurrent session id
• Pages are getting confused between the logged in session id and the logged out session id and incorrectly displaying logged out pages ot users randomly

Also:
• Server clock is relatively close to my client time
• I've removed the underscore from the session cookie name in config (when using cookies)
• Was using with cookie originally and have now switched to database support instead
• It seems as though when a page loads, sometimes the CI code thinks that $_SESSION variable is empty when it should not be.
• I've commented out the code in the sess_update() so that is is not trying to regenerate a session id every 5 minutes.

Would really appreciate a solution! Able to pay with beer or coffee!!: )

El Forum

[eluser]xtremer360[/eluser]
They are working on current version 3.0 for CI. However until they do I would strongly suggest upgraded to the 2.1.2.

El Forum

[eluser]tmcintosh[/eluser]
I didn't really want to do a full upgrade on a site that I didn't build. How much of the site will be affected by an upgrade?

El Forum

[eluser]xtremer360[/eluser]
Only thing I think you should upgrade are the system files. But honestly without knowing if he did anything to them I wouldn't be able to say. Are you planning on redoing the website in any way?

El Forum

[eluser]tmcintosh[/eluser]
I don't particularly care about staying true to any particular release of CI itself. There must be a fundamental PHP change that can be made fairly easily that should fix this situation. I'm sure someone else on this forum as seen this issue before, hopefully they can give me some direction.

El Forum

[eluser]bastien31[/eluser]
Hi,

I have exactly the same problem. It's really annoying and complex to debug because it's a bit hard to reproduce...

I'm actually with CI 2.1.0 and I will try to upgrade to 2.1.2 in order to see if it can succesfully change it.

If Phil Sturgeon has a magic solution (he saves my life a few times already), I think tmcinstosh and I will be thankful !

Bastien

El Forum

[eluser]bastien31[/eluser]
Hi again,

I found this post where there is maybe a solution with cookie session problem : remove the _ in the cookies' names.

http://ellislab.com/forums/viewthread/216353/

There is a similar answer here : http://stackoverflow.com/questions/24388...tabase-why

I will try the two.

I found these one too : http://thinkdiff.net/php/replacing-codei...e-session/

Bastien

El Forum

[eluser]tmcintosh[/eluser]
@bastien31 - thanks for the input, I hope a real solution is made evident at some point. I have seen the 2 links that you mention, however neither are causes of my situation.

When I was using cookies, I tested the "-" issue in the cookie name and it did not help. Now that I'm using database for session management it's irrelevant. For the second link, the main issue there was AJAX calls generating a second session id. As far as I can tell, my site is not doing any async ajax calls.

Update************
• There were a few css links that were generating rewritten URL calls (ie. site.com/css/none) that I thought might be triggering a session start, but I eliminated them and it still continued

My solution:
------------------------------------
This is a total HACK solution but it is what I needed to do to move forward with my client.

Because my site was generating 2 session id's, 1 with user data and 1 without, I updated the Session Insert code to look for existing user_data based on the IP Address, and then copy it to the new session entry. That way when the site gets confused about which Session ID is really the current one, it won't kick the user out because of missing user_data in the session database record.

I realize this is not a great method, and that it is more susceptible to attacks and IP spoofing, but in my specific use case it may just be enough to put the issue to bed for now. The client is planning a full site rebuild in the not too distant future, and the site is not very large, so this HACK will have to do for now.

It doesn't however solve the underlying issue that the Session library for some reason is randomly losing $_SESSION data and then recreating a new second session id along with the first. Although I've achieved the end result with my hack, a real solution would be much better and would benefit others looking for one as well.




El Forum

[eluser]bastien31[/eluser]
Hi,

I solve my problem with this solution : https://github.com/EllisLab/CodeIgniter/pull/823

The file with good code is here : https://github.com/EllisLab/CodeIgniter/...6bd150f469

For me, session id changes when you click on call to a controller but the session is never lost. With AJAX, the session where a bit confused, so I had a session with user data empty and another one with the good data. So my users were disconnected.

With the new file, the ajax case is ok. I tested it and it works great !

If it can be useful to other people.

Bastien

El Forum

[eluser]Stoney[/eluser]
This is old problem with ajax requests.
The session_id is updated when a former (slower) ajax response is coming in, and updates the new session_id with the old one, and the user logs out...

Here is the fix, better than the session library hack. It works for me with CI 2.1.2.

Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
* Session Class Extension
*/
class MY_Session extends CI_Session {

    protected $_CI;

/*
* Do not update an existing session on ajax calls
*
* @access    public
* @return    void
*/
function sess_update() {

    $this->_CI =& get_instance();

        if ( !$this->_CI->input->is_ajax_request() ){
            parent::sess_update();
       }
   }
}
Pages: 1 2