Session Collision

Hi all,
I'm a newbie of CI and actually I'm work with last released of download for 3 version.

I have noted during development a ridicolous problem.
Exists two or more pc inside same office connected to same platform but different account logged; after few seconds, their account is transformed and assumes the identity of one of the logged in users.

The session variable is overwritten...

The same action, it happens with one pc and two browsers with different user logged in.


I have edited config file, as reported:

Code:

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'myproj';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = APPPATH.'prjsess';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix']    = 'prj_'.rand(10,9999);
$config['cookie_domain']    = '.domain.tld';
$config['cookie_path']        = '/';
$config['cookie_secure']    = TRUE;
$config['cookie_httponly']     = FALSE;

I'm sorry for bad English and if my question has already been requested in the past.

CodeIgniter can be quite picky about sess_save_path and cookie_domain.

Do your sessions files actually get saved in prjsess? If not, that's where I would start. It's very picky about a valid absolute path, meaning there can be no ../ in that path. You need to use realpath(APPPATH.'prjsess') to fix those kind of problems, or better yet make it static.

You can always supply it NULL as a debug settings, it will grab a correct path from php.ini.

cookie_prefix should be a static value, it's to avoid collision between multiple applications, not from itself.

cookie_domain Do you need to access it from all subdomains? It's better to force it to a domain (or make it NULL) and PHP will choose the current one for you.

Hi jreklund,
thanks for the reply.

Do your sessions files actually get saved in prjsess? If not, that's where I would start. It's very picky about a valid absolute path, meaning there can be no ../ in that path. You need to use realpath(APPPATH.'prjsess') to fix those kind of problems, or better yet make it static.

Yes, in this folder I can view files created by CI with sessions data.

cookie_prefix should be a static value, it's to avoid collision between multiple applications, not from itself.

Ok, I have removed rand function from name.

cookie_domain Do you need to access it from all subdomains? It's better to force it to a domain (or make it NULL) and PHP will choose the current one for you.

Actually, on this project not exists subdomains; I forced with url to principal domain.

Is better to use database rather than using files for session?

Ok, great. Try that and get back to us.

Is better to use database rather than using files for session?

It depends, if you just want it to work, then files are the best bet.
If you want to force a user to logout, you need it saved and linked to a user in the database.

Ok, I try it again and I'll keep you updated.

A last question: in "cookie_domain", to force principal domain, I will use www.domain.tld, http://www.domain.tld or domain.tld?

Code:

www.domain.tld or domain.tld

And you need to make sure your website only can be accessed by one of those.

I choose then the version www.domain.tld forcing already with a .htaccess file the redirect to the domain with the www.

Thanks again for the availability.

Turn on session match ip, should solve your problem.

You may need to give each computer there own ip.

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )

Turn on session match ip, should solve your problem.

You may need to give each computer there own ip.

Will not make any difference at all. As you can have unlimited number of users logged in from one IP-adress. The only difference are that if your computer switches ISP (by going home/to another office) they get a new IP and they will be logged out.

I choose then the version www.domain.tld forcing already with a .htaccess file the redirect to the domain with the www.

If you use other subdomains ("www" is a subdomain) you should use either "domain.tld" or an empty string. According to the PHP manual.

To make the cookie available to the whole domain (including all subdomains of it), simply set the value to the domain name ('example.com', in this case).

Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

I see you used the leading . (e.g. '.domain.tld') and that is OK.

What's this about an empty string?  According to the HTTP cookies page of the Mozilla Developer's Network website.

Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location,

The "current document location" for a CodeIgniter website is always going to be where index.php is found. But I recommend sticking with what you started with.

PHP Code:

$config['cookie_domain']    = '.domain.tld'; 


'cookie_path' should be:

PHP Code:

$config['cookie_path'] = '/'; 


To help prevent session hijacking and XSS always use the following.

PHP Code:

$config['cookie_httponly'] = true; 


You must make sure that permissions and the owner:group for 'sess_save_path' are set correctly. The owner and group should be set to match your Apache setup - typically either 'www-data' or sometimes 'root'. On a Linux system, Apache assigns those in the file /etc/apache2/envars (the path will be different if you're using Windows or an Apple system). Look for the following in that file.

Code:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data

You might find 'root' instead of 'www-data'. Don't change anything here, but make sure the owner and group of 'sess_save_path' is set to what you see in the envars file.

---

The same action, it happens with one pc and two browsers with different user logged in.

Are the two browsers the same application? For instance, two windows each running Chrome, or Firefox, or whatever?