Welcome Guest, Not a member yet? Register   Sign In
Multiple Set-Cookie in header? Session regenerating maybe?
#1

We have an issue with our simplesamlphp authentication.


I believe the issue is that the session is being regenerated.
In the Header I can see the following
Code:
Set-Cookie: ci_session=1f8a5fc76b261172fc190f8161cbc91ad5901b49; path=/; HttpOnly
Set-Cookie: ci_session=ea7e04c4099d5d5c217725c1a73caed5; path=/; HttpOnly
We didn't have this issue before. So I tried retracing back to what was changed. The only thing I could find is our upgrade from CodeIgniter 2 to CodeIgniter 3. 

When does CodeIgniter Set-Cookie multiple times?

This is my Cookie at the moment it happens.
Code:
Cookie: ci_session=1f8a5fc76b261172fc190f8161cbc91ad5901b49

So it looks like it's resetting my cookie and then resetting to a new one? I don't understand what is going on.
Reply
#2

(04-20-2017, 04:40 AM)AzaZPPL Wrote: The only thing I could find is our upgrade from CodeIgniter 2 to CodeIgniter 3.

LOL Tongue That is a big change! Did you follow the upgrade guide?

Upgrading from 2.2.x to 3.0.x

Step 6 of the guide is about Session library
Reply
#3

The session ID lengths are different ... if it was CI_Session setting both, that wouldn't be the case.
Reply
#4

(04-20-2017, 04:58 AM)Martin7483 Wrote:
(04-20-2017, 04:40 AM)AzaZPPL Wrote: The only thing I could find is our upgrade from CodeIgniter 2 to CodeIgniter 3.

LOL Tongue That is a big change! Did you follow the upgrade guide?

Upgrading from 2.2.x to 3.0.x

Step 6 of the guide is about Session library
I've made sure that I followed all steps. Everything with the session works except for this part.
This is the config for session used
Code:
$config['sess_driver']          = 'database';
$config['sess_cookie_name']    = 'ci_session';
$config['sess_expiration']    = 7200;
$config['sess_use_database']    = FALSE; //TODO SET TRUE IN LIVE
$config['sess_table_name']    = 'Ci_sessions';
$config['sess_match_ip']    = FALSE;
$config['sess_time_to_update']  = $config['sess_expiration'];


(04-20-2017, 05:00 AM)Narf Wrote: The session ID lengths are different ... if it was CI_Session setting both, that wouldn't be the case.
I don't undestand what you mean.
Reply
#5

Could it have something to do with this: https://github.com/bcit-ci/CodeIgniter/i...-193412960
Reply
#6

(This post was last modified: 04-20-2017, 06:50 AM by Narf.)

(04-20-2017, 05:33 AM)AzaZPPL Wrote:
(04-20-2017, 04:58 AM)Martin7483 Wrote:
(04-20-2017, 04:40 AM)AzaZPPL Wrote: The only thing I could find is our upgrade from CodeIgniter 2 to CodeIgniter 3.

LOL Tongue That is a big change! Did you follow the upgrade guide?

Upgrading from 2.2.x to 3.0.x

Step 6 of the guide is about Session library
I've made sure that I followed all steps. Everything with the session works except for this part.
This is the config for session used
Code:
$config['sess_driver']          = 'database';
$config['sess_cookie_name']    = 'ci_session';
$config['sess_expiration']    = 7200;
$config['sess_use_database']    = FALSE; //TODO SET TRUE IN LIVE
$config['sess_table_name']    = 'Ci_sessions';
$config['sess_match_ip']    = FALSE;
$config['sess_time_to_update']  = $config['sess_expiration'];

If you followed all the steps, you wouldn't have 3 of these settings.
Hint: you aren't even using 2 of them.

(04-20-2017, 05:33 AM)AzaZPPL Wrote:
(04-20-2017, 05:00 AM)Narf Wrote: The session ID lengths are different ... if it was CI_Session setting both, that wouldn't be the case.
I don't undestand what you mean.

The first Set-Cookie header sets a 40-character ID - that is sent by CI.
The second has a 32-character ID - that is NOT what CI sends; something else is causing it.

(04-20-2017, 06:38 AM)AzaZPPL Wrote: Could it have something to do with this: https://github.com/bcit-ci/CodeIgniter/i...-193412960

Entirely possible.
Reply
#7

(04-20-2017, 06:49 AM)Narf Wrote:
(04-20-2017, 05:33 AM)AzaZPPL Wrote:
(04-20-2017, 04:58 AM)Martin7483 Wrote:
(04-20-2017, 04:40 AM)AzaZPPL Wrote: The only thing I could find is our upgrade from CodeIgniter 2 to CodeIgniter 3.

LOL Tongue That is a big change! Did you follow the upgrade guide?

Upgrading from 2.2.x to 3.0.x

Step 6 of the guide is about Session library
I've made sure that I followed all steps. Everything with the session works except for this part.
This is the config for session used
Code:
$config['sess_driver']          = 'database';
$config['sess_cookie_name']    = 'ci_session';
$config['sess_expiration']    = 7200;
$config['sess_use_database']    = FALSE; //TODO SET TRUE IN LIVE
$config['sess_table_name']    = 'Ci_sessions';
$config['sess_match_ip']    = FALSE;
$config['sess_time_to_update']  = $config['sess_expiration'];

If you followed all the steps, you wouldn't have 3 of these settings.
Hint: you aren't even using 2 of them.

(04-20-2017, 05:33 AM)AzaZPPL Wrote:
(04-20-2017, 05:00 AM)Narf Wrote: The session ID lengths are different ... if it was CI_Session setting both, that wouldn't be the case.
I don't undestand what you mean.

The first Set-Cookie header sets a 40-character ID - that is sent by CI.
The second has a 32-character ID - that is NOT what CI sends; something else is causing it.

(04-20-2017, 06:38 AM)AzaZPPL Wrote: Could it have something to do with this: https://github.com/bcit-ci/CodeIgniter/i...-193412960

Entirely possible.

Thanks for the update. I kind of now know where to search. 

I've missed the session config options. I've changed them and they look like so now.
Code:
$config['sess_driver']          = 'database';
$config['sess_cookie_name']        = 'ci_session';
$config['sess_use_database']    = TRUE;
$config['sess_save_path']        = 'Ci_sessions';
Reply
#8

(04-20-2017, 07:15 AM)AzaZPPL Wrote:
Code:
$config['sess_driver']          = 'database';
$config['sess_cookie_name']        = 'ci_session';
$config['sess_use_database']    = TRUE;
$config['sess_save_path']        = 'Ci_sessions';

Now you've removed one that you need (expiration) and you still have one unused (use_database).
Reply
#9

(04-20-2017, 07:41 AM)Narf Wrote:
(04-20-2017, 07:15 AM)AzaZPPL Wrote:
Code:
$config['sess_driver']          = 'database';
$config['sess_cookie_name']        = 'ci_session';
$config['sess_use_database']    = TRUE;
$config['sess_save_path']        = 'Ci_sessions';

Now you've removed one that you need (expiration) and you still have one unused (use_database).


So like this?
Code:
$config['sess_driver']       = 'database';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'Ci_sessions';

I think I might have an old config file since it still shows:
Code:
/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|
| 'sess_cookie_name'        = the name you want for the cookie
| 'sess_expiration'            = the number of SECONDS you want the session to last.
|   by default sessions last 7200 seconds (two hours).  Set to zero for no expiration.
| 'sess_expire_on_close'    = Whether to cause the session to expire automatically
|   when the browser window is closed
| 'sess_encrypt_cookie'        = Whether to encrypt the cookie
| 'sess_use_database'        = Whether to save the session data to a database
| 'sess_table_name'            = The name of the session database table
| 'sess_match_ip'            = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent'    = Whether to match the User Agent when reading the session data
| 'sess_time_to_update'        = how many seconds between CI refreshing Session Information
|
*/

Doesn't the sess_expiration already default to 7200?
Reply
#10

(04-20-2017, 07:58 AM)AzaZPPL Wrote: So like this?
Code:
$config['sess_driver']       = 'database';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'Ci_sessions';

Missing some non-important settings, but yes.

(04-20-2017, 07:58 AM)AzaZPPL Wrote: I think I might have an old config file since it still shows:
Code:
/*
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|
| 'sess_cookie_name'        = the name you want for the cookie
| 'sess_expiration'            = the number of SECONDS you want the session to last.
|   by default sessions last 7200 seconds (two hours).  Set to zero for no expiration.
| 'sess_expire_on_close'    = Whether to cause the session to expire automatically
|   when the browser window is closed
| 'sess_encrypt_cookie'        = Whether to encrypt the cookie
| 'sess_use_database'        = Whether to save the session data to a database
| 'sess_table_name'            = The name of the session database table
| 'sess_match_ip'            = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent'    = Whether to match the User Agent when reading the session data
| 'sess_time_to_update'        = how many seconds between CI refreshing Session Information
|
*/

If you didn't have an old config, we wouldn't be having this conversation. Smile

(04-20-2017, 07:58 AM)AzaZPPL Wrote: Doesn't the sess_expiration already default to 7200?

No.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB