AJAX and CI Session (v1.7) w/DB

[eluser]Padraig Kennedy[/eluser]

It’s not really a CI bug, more like an additional security feature that just isn’t compatible with the multiple AJAX requests. If you’re not using AJAX then race hazards are not really an issue.

I would argue that the unexpected loss of session user data during certain requests is a bug. It may not be a critical one and it may not effect everyone using CI, but it is a bug.

Rather than update the source, I’ve just set this in my system/application/config/config.php file:
$config[‘sess_time_to_update’] = 7200;

This just makes sure the update happens after 2 hours. As I have sessions set to expire after an hour, this effectively turns off the feature.

This is definitely a good work around, if it suits your application. It's always better not to modify framework code!

For some web applications, however, having sessions expire after an hour can be very irritating since it's an hour after logging in rather than an hour since last activity. Our users would on occasion spend 5 minutes filling out a form (while on the phone to a client of their own, who won't want to repeat the information!), only to lose it when they get kicked back to the log in screen because their session timed out.

I’d prefer to keep the database session storage as it’s more secure than using cookie storage and doesn’t need any addition to the framework. Yes it would be possible to use the native PHP sessions mod but that would still give rise to the same issue I think whereby the session is updated between requests.

I agree about database storage, and I don't see this as a reason to switch session libraries.