Login

01-15-2009, 09:48 AM

[eluser]Padraig Kennedy[/eluser]
When used together, AJAX requests and the Code Igniter session library (with database storage) do not get along very well.

To frustrate man in the middle attacks, CI regenerates the session every $config["sess_time_to_update"] seconds (default is 5 minutes, I believe). This works by calling the sess_update() method in Session.php every time the session class is initialised.

If it's been more than sess_time_to_update seconds:

1. A new session_id is generated
2. The database is updated with this new session_id
3. The new session_id is sent back to the browser in a cookie.

This is problematic when multiple parallel requests are made. Parallel requests are common when using AJAX. Consider the following scenario: 2 parallel requests are made, just as we exceed the sess_time_to_update threshold. The first one triggers the regeneration of the session_id and returns normally. The second one, however, is still using the old and recently invalidated session_id. A new session is created for this request, which contains none of the userdata and is therefore not marked as logged in. The result is that the user gets logged out sooner than he/she should.

As a temporary work-around, I am planning to simply disable the regeneration of sessions by commenting out the sess_update() at about line 105 of Session.php

I realise that this decreases security somewhat, but our service is provided over SSL, so it is unlikely that a session key could be grabbed mid transmission and since only server generated session ids are accepted, Session Fixation should not be possible.

Any other ideas on how to deal with this? Is there anything else I should worry about after turning off the session update?

Thanks,

Pádraig.