[eluser]phanku[/eluser]
[quote author="phanku" date="1366654591"]I also have this issue.
I have been up and down this thread and tried everything to make this work.
I am planning on using CodeIgniter for a huge project and currently am only doing a small project, before I begin working on the large project, to identify possible issues.
As it stands one issue I have identified is CodeIgniter’s session handler.
Currently I am using a small Linux box that is behind a router that redirects the connections to the Linux box via port forwarding to port 80. I am using a DDYNS to access the box on the port number 8080.
The Apache service on the Linux box listens on port 80.
My CI instance is hosted in a directory of /ci.
Now for sake of ease I will include all the information about my server and settings here.
Config.php:
Code:
$config['base_url'] = '';
$config['sess_cookie_name'] = 'CIPSSSERVER';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = FALSE;
$config['sess_time_to_update'] = 7200;
$config['cookie_prefix'] = "";
$config['cookie_domain'] = ".kicks-ass.org";
$config['cookie_path'] = "/ci";
$config['cookie_secure'] = FALSE;
.htaccess file in /ci directory:
Code:
RewriteEngine on
RewriteCond %{REQUEST_URI} !/webdav
RewriteCond $1 !^(index\.php|images)
RewriteRule ^(.*)$ /ci/index.php/$1 [L]
Apache config:
Code:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
#AllowOverride All
AllowOverride FileInfo Limit AuthConfig Options
#AllowOverride FileInfo
Order allow,deny
allow from all
</Directory>
...
</VirtualHost>
Server Variables on request:
Code:
[REDIRECT_STATUS] => 200
[HTTP_HOST] => <omitted>.kicks-ass.org:8080
[HTTP_CONNECTION] => keep-alive
[HTTP_CACHE_CONTROL] => max-age=0
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip,deflate,sdch
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.8
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.3
[HTTP_COOKIE] => CIPSSSERVER=a:4:{s:10:"session_id";s:32:"6fb2b31c3092c145d261be11f8cf7e7d";s:10:"ip_address";s:14:"<omitted>";s:10:"user_agent";s:108:"Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.31+(KHTML,+like+Gecko)+Chrome/26.0.1410.64+Safari/537.31";s:13:"last_activity";i:1366654078;}c1c63d93529d3562c2fb4eb3e37ff56c
[PATH] => /usr/local/bin:/usr/bin:/bin
[SERVER_SIGNATURE] =>
Apache/2.2.22 (Ubuntu) Server at <omitted>.kicks-ass.org Port 8080
[SERVER_SOFTWARE] => Apache/2.2.22 (Ubuntu)
[SERVER_NAME] => <omitted>.kicks-ass.org
[SERVER_ADDR] => 192.168.1.102
[SERVER_PORT] => 8080
[REMOTE_ADDR] => <omitted>
[DOCUMENT_ROOT] => /var/www
[SERVER_ADMIN] => webmaster@localhost
[SCRIPT_FILENAME] => /var/www/ci/index.php
[REMOTE_PORT] => 57533
[REDIRECT_URL] => /ci/
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /ci/
[SCRIPT_NAME] => /ci/index.php
[PATH_INFO] => /
[PATH_TRANSLATED] => /var/www/index.php
[PHP_SELF] => /ci/index.php/
[REQUEST_TIME] => 1366654079
ci_session table:
Code:
CREATE TABLE IF NOT EXISTS `ci_sessions` (
`session_id` varchar(100) NOT NULL DEFAULT '0',
`ip_address` varchar(45) NOT NULL DEFAULT '0',
`user_agent` varchar(255) NOT NULL,
`last_activity` int(10) unsigned NOT NULL DEFAULT '0',
`user_data` text NOT NULL,
PRIMARY KEY (`session_id`),
KEY `last_activity_idx` (`last_activity`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
I have omitted parts of the address for security reasons.
As you can see that the client is sending the cookie information and yet CI is not reading it into the session data. It also, on every page refresh, creates a new session.
Any assistance would be very appreciated. Thank you. [/quote]
I have fixed the issue. I am going to post the information here in case any one else ever runs into this problem.
The issue was with PHP Suhosin. A very popular PHP hardening library. Because of how the session data is not only stored within the database but also with in the cookie(IMO a weird design decision) the maximum value length that is stored within Suhosin was being violated. Suhosin then would drop the variable which then would cause CI to never get the cookie data which, of course, would cause CI to generate new session data.
To solve it I have raised the amount allowed to 512. The correct setting to change is suhosin.request.max_value_length.
I am not sure what the correct method should be to address this other than modifying a library that is suppose to protect PHP services from being hacked but I do believe that if the switch in CI is set to store session data in the database that the cookie should only contain the session id needed to identify the user and their session data. Of couse, I think that CI should still do something to verify that the cookie has not been spoofed in some manner but should not force system operators to have to change settings on a security library to make CI work.
Hope this helps someone else out in the future.
