Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming authentication session id
authentication session id
  • El Forum
    Guest
  •  
#1
08-17-2008, 03:53 PM

[eluser]Xavier D.[/eluser]
Hi,

I have an authentication class, what is comparing the stored session id in the database with the session id from the userdata session cookie.

Works fine, but when the session id is changing, the user is logged out.

I made a change to the time to update 3600, but it is still not fullproof.

Is there a way that the session id stays during exploring the site, it is a big site, whit chat and everything, so people can spend a lot of time there and it is not very usefull if they logout after 1 hour.



config['sess_match_ip'] = FALSE; -> maybe set to true (extra security?)
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 3600;
  • El Forum
    Guest
  •  
#2
08-19-2008, 04:02 AM

[eluser]Xavier D.[/eluser]
next step

i've created an extra table ci_sessions like mentioned in the userguide.

$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;

sess_expiration = 7200sec (2 hours) if someone stays longer then 2 hours, he logged out ...
not good, because I think, the session_id expiration, needs to restart after every click on the website.

Other thing, when loggin out, manuel or by expiration, the ci_sessions table creates a new row, what can become very missy is you have 1K or more users ...

Do I need to manuel delete the rows?

Also, user_id is not stored in the sessions database, seems to be needed if you want to authentication and return the user_id.

I tried to set expiration and time to update to 5 sec. logging out after 5 sec.
only time to update on 5 seconds, ci creates new session id every 5 seconds.

It is nog clear for me ... is this a bug?

thx for your help!
  • El Forum
    Guest
  •  
#3
08-19-2008, 06:03 AM

[eluser]Xavier D.[/eluser]
$config['sess_expiration'] = 0;
$config['sess_time_to_update'] = FALSE;

My solutions, keep session persistent and store the session_id in the users database, before you ask for users details, you do a check if the user_id and session_id are corresponding to each other.

true -> returns user_id
false -> returns 0 and user gets logged out.

seems like the only solution.




Theme © iAndrew 2016 - Forum software by © MyBB