Another disappearing session bug?

[eluser]WanWizard[/eluser]
That blog post makes me very angry.

First, it is not a race condition, concurrent requests are simply not a part of the design. And this issue is present in all CI versions, not only in 2.0+.

Second, the solution this blog proposes is not a fix but a hack, and one that I have posted on this forum. Something this blog fails to mention.

The issue here is that one request can rotate the session id, while a second request is still running. When the second request finishes, the cookie (which has the rotated id from the first request) will now be overwritten with the old session id, because the second request had no idea it was rotated.

The hack simply remembers the previous session id too, which only solves the issue for concurrent requests that don't run longer than the session rotation time. Reuqests that do run longer will still fail, since you will have two rotations within the timespan of that request, so old previous session id is gone from the database too.

Fixing this permanently requires a complete redesign of the session class.

A correct workaround would be to disable session id rotation on ajax calls, so extend the if in Session:ess_update() to include a check for ajax calls, and return if true.