Login

01-29-2009, 01:50 PM

[eluser]waspfactoryuk[/eluser]
[quote author="drewbee" date="1233279357"]I will probably have to come up with a way to notify ajax calls to force the session to not regenerate the id, and leave it strictly for main browser calls unfortunately.[/quote]

I'm quickly coming to that conclusion too...

Having worked through Sessions.php and how it works in relation to AJAX, I think I now fully appreciate the problem. The CodeIgniter documentation says:

Quote:When a page is loaded, the session class will check to see if valid session data exists in the user's session cookie. If sessions data does not exist (or if it has expired) a new session will be created and saved in the cookie. If a session does exist, its information will be updated and the cookie will be updated. With each update, the session_id will be regenerated.

So, if the sess_time_to_update time has passed, or if session data is changed, the session_id will automatically be changed. CodeIgniter relies on sess_update() to update the client's cookie expiry so if sess_update is not called then the session cookie will eventually expire and the session will die.

AJAX requires that the session_id remains constant and does not change. This is not achievable using the CodeIgniter sessions implementation as there is currently no way to turn off the changing of the session ID.

So, the bad news is that our workarounds here don't work as they don't prevent the change of session ID in all circumstances and still allow the cookie expiry to be reset Sad

What I think anyone using AJAX in an environment using sessions for logon security needs is a modification that allows us to switch off the changing of the session ID so it remains constant as per native sessions - or at least allows us to trigger it manually from within a non-AJAX controller. An extra config parameter would be nice to turn it on and off.

Time to start hacking it about Smile