[eluser]Unknown[/eluser]
After some research I've found that this is a bug into sess_read() function of CI_Session class.
Code:
// Decrypt the cookie data
if ($this->sess_encrypt_cookie == TRUE)
{
$session = $this->CI->encrypt->decode($session);
}
else
{
// encryption was not used, so we need to check the md5 hash
$hash = mb_substr($session, mb_strlen($session)-32); // get last 32 chars
$session = mb_substr($session, 0, mb_strlen($session)-32);
// Does the md5 hash match? This is to prevent manipulation of session data in userspace
if ($hash !== md5($session.$this->encryption_key))
{
log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
$this->sess_destroy();
return FALSE;
}
}
You need to replace mb_substr() functions to substr() or configure mbstring.func_overload parameter in PHP configuration file.
But I must say that this bug already fixed in new version of CodeIgniter (2.1.4), so there is another way to fix it - just update the framework
