IE8 - case of the missing session/cookie

[eluser]fattmox[/eluser]
I have a CodeIgniter site built that I am maintaining. It uses the database based session/cookie.
The issue I am having is specific only to IE8. The session/cookie works fine in all other browsers (Firefox, IE 7 and Safari)
Error path:

* Login with correct credentials
* Logout
* Login with same credentials
* Credential are accepted but session does not authenticate thereby redirecting the user to the root page

Has anyone else encountered this?

If you use the IE8 Developer Tools (F12) under 'Cache' to 'View Cookie Information' this somehow flushes the cookies and the session authenticates and I am then able to login. Strange. >:-(

[eluser]fattmox[/eluser]
Another odd note - in the logout method, if I run 'regenerate_id()' after 'sess_destroy()' the session is re-instantiated and the user is not logged out. This seems odd to me as the session should not be able to be re-instantiated if it has been destroyed!

[eluser]darkhouse[/eluser]
A common problem these days. I know you said it's just IE8 that you have the problem with, but try this and see what happens. http://codeigniter.com/wiki/Session_Hybrid/

[eluser]bigtony[/eluser]
I posted this thread not long ago about my weird experiences with sessions on IE8:
http://ellislab.com/forums/viewthread/123432/

It's not much to go on, but may help.

[eluser]GSV Sleeper Service[/eluser]
use the native sessions library, you can find it in the CI wiki.
CI Sessions have always caused me problems in IE, it's just easier to use native sessions. funny that no one at EllisLabs will acknowledge the problems, lots of people experience the same problems.

[eluser]darkhouse[/eluser]
The reason we developed our Session Hybrid solution was because we had trouble with a number of different session libraries, including the Native Session library. I don't remember exactly what the problem was with it, I just remember we decided to develop our own when nothing else worked.

[eluser]fattmox[/eluser]
Problem solved!

IE8 caches AJAX calls, even if 'noCache: true' (using mootols)

Once we appended a Math.random() to the end of our authorization url call we were all set to go.

EG - http://domain.com/authorize?394820394

The new session would then be authorized and the user was permitted to move forward.

Thank you everyone for your replys.

[eluser]mackski[/eluser]
Having a similar problems, i explicitly set the date.timezone in php.ini to overcome wrong browser timestamps and when posting to a login page, i added time() to the url:

http://example.com/login/index/1250217336

This did it for me.

[eluser]Unknown[/eluser]
The problem lies in the fact that IE8 removes the CI session cookie even though the expiration timestamp should prevent this

NOTE: Above happens especially when you would like to use client redirect via: header( "Location: " ) call instead of following the link click

My solution is to patch one line of the Session::_set_cookie() method in your Session.php:

Code:

function _set_cookie($cookie_data = NULL)
    {
        /* HERE WE HAVE SOME CODE WHICH WE DO NOT TOUCH...   */
        /* ... WE CHANGE THE setcookie() CALL BY CHANGING THE */
        /* THIRD PARAM TO 0 (originally the third parameter  */
        /* was set to $this->sess_expiration + time()        */

        // Set the cookie
        setcookie(
                    $this->sess_cookie_name,
                    $cookie_data,
                    0,   // <--- HERE YOU PLACE THE 0
                    $this->cookie_path,
                    $this->cookie_domain,
                    0
                );
    }

By patching as described above (third param of setcookie set to 0) we instruct the browser not to delete the cookie until the browser session is finished (so in most cases until the browser is closed).

What we might also want to do is to make sure we have following call somwhere in code of our controller:

Code:

$this->session->set_userdata('last_activity' => $this->session->_get_time());

This ensures that the lastActivity (in CI 1.7.2) is updated in database to the current timestamp. Thanks to this CI session will be destroyed after the inactivity time passes (so the "inactivity logout" will still work even though the cookie will not be deleted by the browser..) <- beware however that CI must still execute call to _sess_gc() to destroy the session.. and this call depends on value of $gc_probability.. so when testing this the best is to set the $gc_probability to 100)

NOTE: If you implement this you might want to omit call to $this->session->_get_time() since this is marked as CI private method. In this case write your own method to get the time

[eluser]JulianM[/eluser]
In my case I solved my problme using the solution posted here: http://ellislab.com/forums/viewthread/135722/

Double check your settings.

- Examine your cookie settings in /application/config/config.php A CI vetran recomended removing underscores from the cookie name (link). This can be done by changing:

$config['sess_cookie_name'] = 'ci_session';
to

$config['sess_cookie_name'] = 'cisession';

But sess_cookie_name alone change didn't solve it. I also needed to change sess_expiration and sess_match_useragent to FALSE.

$config['sess_cookie_name'] = 'cisession';
$config['sess_expiration'] = 86400;
$config['sess_match_useragent'] = FALSE;

Hope this helps.

Julian