[eluser]caleblloyd[/eluser]
I have been developing using Codeigniter for a few years now, and seem to always have a problem with getting locked out of a session after navigating a few pages on a website in certain versions of Internet Explorer. I have narrowed this down to the "sess_match_useragent" in the Session Class.
The problem does not come from Codeigniter; the "sess_match_useragent" functionality works exactly as it should. The problem is that some versions of Internet Explorer on certain Operating Systems will report different user-agents from one page to the next.
For instance, I am using Internet Explorer 8 on Windows XP SP3. I am printing $_SERVER['HTTP_USER_AGENT'] to the screen, because that is where Codeigniter 2.02 appears to get its User-Agent information from. One page load reads:
Code:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; etc...
And on a subsequent page load to the same domain in the same browser it will read:
Code:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; etc...
I believe that this is an Internet Explorer problem and not a Codeigniter problem, however the default functionality of the Session Class to match the User-Agent causes problems when this bug occurs in IE. Which brings me to my next question- Why is codeigniter's default behavior to set "sess_match_useragent" to TRUE in the Session Preferences?
I understand that one reason could be for security purposes- so that a cookie that is read over an unsecured network cannot be recreated in a different browser in order to "steal a user's session". While this is true, most people that are capable of understanding how to steal a cookie over an unsecured connection are also capable of spoofing the user-agent quite easily, so I do not think this is a strong enough argument to call for always matching the user-agent.
Is there any other reason that matching the user-agent is defaulted to TRUE? I know that this IE bug effects many users of sites that run on Codeigniter, and would like to discuss the adverse effects of changing its default value to FALSE.
