Solution to session data loss when using AJAX

[eluser]intractve[/eluser]
Hi All,
This post is a compilation of the steps taken to fix the issue of session updates (using the in-built CI_Session library) while using AJAX in your pages.
(This post assumes you are using the CI session with a database and not just cookies. This solution may work for just cookies too, I am not sure though.)

The CI Session library automatically updates the session information i.e changes the session_id (by default) every 5 mins
(configurable via config.php -> $config['sess_time_to_update']).
While this is a very useful security feature to thwart session hijacking, it can prove to be a bone when using AJAX.

When static pages are accessed, the CI session update does not interfere with regular operation and the new session id is updated in the cookie set in your system, and all is well. But when an AJAX operation is done (get or post), the session is updated and a new session id is generated (and updated in the database) but the cookie in the browser is not updated, so the next time the browser requests a new page it sends a cookie with the wrong session id and the session becomes invalid resulting in loss of session data (person getting kicked out if logged in).

I do not take credit for any of the solutions below, I'm just putting it in one place so that people do not waste as much time as I did trying to solve this. I have given due credit to the posters of the solution but if I have gotten it wrong or not credited you please let me know and I will update the post.

Step 1:
In constants.php (application/config/) you have to add the following line to define an AJAX request.
Taken from WebLee (http://www.weblee.co.uk)

Code:

// Define Ajax Request
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
//

Step 2:
Create a new file under (application/libraries) called MY_Session.php
The word MY_ should correspond to whatever you have defined in config.php as your prefix for class extension ($config['subclass_prefix'])
Paste the following into that file.
Solution by WanWizard

Code:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Session extends CI_Session
{

/**
* Update an existing session
*
* @access    public
* @return    void
*/
    function sess_update()
    {
       // skip the session update if this is an AJAX call!
       if ( !IS_AJAX )
       {
           parent::sess_update();
       }
    }

}

/* End of file MY_Session.php */
/* Location: ./application/libraries/MY_Session.php */

And that's it!

What we have done is extended the Session Library overriding the update_session function which is responsible for creating new Session ID's and telling it to only update the session if the current call is not AJAX.

I have tested this and it works,

If there are any errors or better solutions feel free to post them below, so all can benefit from it.


Merry Christmas and Happy Holidays everybody... :-)

--
George