CodeIgniter Forums
Session Match IP False No Working - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: CodeIgniter 3.x (https://forum.codeigniter.com/forumdisplay.php?fid=17)
+--- Thread: Session Match IP False No Working (/showthread.php?tid=86250)



Session Match IP False No Working - kft101 - 01-23-2023

Hello. We are using CI3 and using a MySQL database for our sessions. We have "$config['sess_match_ip'] = false;" set in our config.php file, and have confirmed this config variable value via the "$this->config->item('sess_match_ip')" check. The database table to store sessions only has the "id" as a primary key (so "ip_address" is not factored into the session key). With this, our site still acts as if it's considering IP address when checking for a valid session, as users that have a rotating IP address get our "session timeout" screen after they have logged in and click through pages. We have confirmed this with several different users that see their IP addresses change when they check. We've added logging to the framework's Session.php and Session_database_driver.php files that reference the "sess_match_ip" or "match_ip" parameters, but none seem to be firing when they should not be. Anything else we can check or debug to figure this out? Thanks.


RE: Session Match IP False No Working - InsiteFX - 01-24-2023

Are you on a CloudFare server?


RE: Session Match IP False No Working - kft101 - 01-24-2023

(01-24-2023, 01:42 AM)InsiteFX Wrote: Are you on a CloudFare server?
@InsiteFX No, we are on a Rackspace server (behind a load balancer) running CentOS 7.

Thanks.


RE: Session Match IP False No Working - InsiteFX - 01-25-2023

I just looked the source code and it says this about the Match IP.
PHP Code:
/**
    * Whether to match the user's IP address when reading the session data.
    *
    * WARNING: If you're using the database driver, don't forget to update
    * your session table's PRIMARY KEY when changing this setting.
    *
    * @var bool
    */
    protected $sessionMatchIP false



RE: Session Match IP False No Working - kft101 - 01-25-2023

@InsiteFX The "$sessionMatchIP" variable is a CI4 config variable. We are using CI3, but are setting the version correct "sess_match_ip" config variable appropriately to false, per the original post.


RE: Session Match IP False No Working - InsiteFX - 01-26-2023

PHP Code:
'sess_match_ip'
|
Whether to match the user's IP address when reading the session data.
|
| WARNING: If you'
re using the database driverdon't forget to update
|         your session table'
s PRIMARY KEY when changing this setting.


For 
MySQL:

CREATE TABLE IF NOT EXISTS `ci_sessions` (
        `idvarchar(128NOT NULL,
        `ip_addressvarchar(45NOT NULL,
        `timestampint(10unsigned DEFAULT 0 NOT NULL,
        `datablob NOT NULL,
        KEY `ci_sessions_timestamp` (`timestamp`)
);



You will also need to add a PRIMARY KEY depending on your ‘sess_match_ip’ setting.
The examples below work both on MySQL and PostgreSQL:

// When sess_match_ip = TRUE
ALTER TABLE ci_sessions ADD PRIMARY KEY (idip_address);

// When sess_match_ip = FALSE
ALTER TABLE ci_sessions ADD PRIMARY KEY (id);

// To drop a previously created primary key (use when changing the setting)
ALTER TABLE ci_sessions DROP PRIMARY KEY



RE: Session Match IP False No Working - superior - 01-26-2023

(Yesterday, 01:33 PM)kft101 Wrote: @InsiteFX The "$sessionMatchIP" variable is a CI4 config variable. We are using CI3, but are setting the version correct "sess_match_ip" config variable appropriately to false, per the original post.

application/config/config.php
PHP Code:
/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy
| IP addresses from which CodeIgniter should trust headers such as
| HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP in order to properly identify
| the visitor's IP address.
|
| You can use both an array or a comma-separated list of proxy addresses,
| as well as specifying whole subnets. Here are a few examples:
|
| Comma-separated: '10.0.1.200,192.168.5.0/24'
| Array: array('10.0.1.200', '192.168.5.0/24')
*/
$config['proxy_ips'] = ''



RE: Session Match IP False No Working - kft101 - 01-26-2023

@InsiteFX @superior

Thanks for the responses. But per the original post, we already have the "sess_match_ip" config variable set to false, the ci_sessions database table created and indexed ONLY on the id. Our website and sessions are working fine for almost all users, except for the ones that have a rotating/dynamic IP address. Our current configuration SHOULD prevent the checking of IP address against the sessions, yet these users are still seeing the session expired message when they click through the pages, which indicate that CI3 is still checking the IP address when retrieving sessions.

We are not using a reverse proxy.

Anything else we can check?

Thank you.


RE: Session Match IP False No Working - kenjis - 01-26-2023

What is our "session timeout" screen?
Can you show it?