Welcome Guest, Not a member yet? Register   Sign In
Problem with updating session data
#1

Hello

I have a strange problem with sessions and after a couple of hours searching how I can fix it I've finally gave up ;/

I created my own authantication library. I'm using database session driver and I've added one column to original table named 'user_id'.  I'm trying to update session table with query :

[3] => UPDATE `ci_sessions_2` SET `user_id` = '1' WHERE `id` = 'blabla_sessioncode'

It works when user is logging in but not when session expires and user is back (and had 'remember me' checked).

$this->db->queries print this query every time, there no database errors and when I copy query and manually paste to phpmyadmin it works.

Thanks for any help.
Reply
#2

(06-14-2016, 05:54 AM)boddah85 Wrote: Hello

I have a strange problem with sessions and after a couple of hours searching how I can fix it I've finally gave up ;/

I created my own authantication library. I'm using database session driver and I've added one column to original table named 'user_id'.  I'm trying to update session table with query :

[3] => UPDATE `ci_sessions_2` SET `user_id` = '1' WHERE `id` = 'blabla_sessioncode'

It works when user is logging in but not when session expires and user is back (and had 'remember me' checked).

$this->db->queries print this query every time, there no database errors and when I copy query and manually paste to phpmyadmin it works.

Thanks for any help.

Hi, a PHP Code with your model would help us find the real problem.
God Bless CI Contributors Smile
Reply
#3

(This post was last modified: 06-14-2016, 07:48 AM by boddah85. Edit Reason: Add info )

PHP Code:
private function setLoginData($data,$ifAutoLog=0){
        if(is_object($data)){
                if($data->user_status==0){
                    $this->CI->session->set_flashdata('msg_error','Error');
                    return FALSE;   
                
}

                $s_data = array(
                    's_userid'   => $data->user_id,
                    's_username' => $data->user_name
                    's_loggedin' => TRUE
                
);            
                $this
->CI->session->set_userdata($s_data);

                $sesjaId session_id();
                $dataEd = array("user_id" => $data->user_id);
                $this->CI->db->update('ci_sessions_2'$dataEd, array('id' => $sesjaId));
                                
                
if($ifAutoLog==1){
                    $this->deleteToken($data->user_id);
                    $newToken $this->genAutologToken();
                    $dataAdd = array(
                        'user_id'   => $data->user_id,
                        'token'     => $newToken
                    
);
                    $this->CI->db->insert('ci_users_rem'$dataAdd);
                    $idToken $this->CI->db->insert_id();
                    $this->setAutoLogCookie($idToken,$newToken);
                }
                
                
return TRUE;
        
        else{
            return FALSE;
        }
    
Reply
#4

(06-14-2016, 05:54 AM)boddah85 Wrote: I created my own authantication library. I'm using database session driver and I've added one column to original table named 'user_id'.  I'm trying to update session table with query :

[3] => UPDATE `ci_sessions_2` SET `user_id` = '1' WHERE `id` = 'blabla_sessioncode'

It works when user is logging in but not when session expires and user is back (and had 'remember me' checked).

$this->db->queries print this query every time, there no database errors and when I copy query and manually paste to phpmyadmin it works.

What are you expecting to happen? What is happening?

Why are you storing the user ID in the session as well as in a separate column in the session table? What is the purpose of modifying the session table in the first place?

The session is temporary, and an expired session should eventually be deleted by the system, but may stay in the table for an indefinite period of time. In some instances, depending on the way the database table is defined and the configuration of the database itself, you could be prevented from setting the same user_id value on multiple rows in the table. Since expired sessions may sit in the table for some time before the system deletes them, you would have to remove the other sessions which use the same user_id before you would be allowed to update the row for the current session.

In most cases, you're just creating a headache for yourself by modifying the session table and storing the user_id there. The session should be transient, and anything that needs to be persisted should be stored in the database, not in the session.
Reply
#5

Thanks for the response.

I'm expecting that when user which had checked "remember me" come back to me, the session will be generated and user_id column will be updated. This works good when user send a form with correct login and password.

Quote:Why are you storing the user ID in the session as well as in a separate column in the session table? What is the purpose of modifying the session table in the first place?

Maybe it's wrong but I don't know how to do it in other way. I've added a new column cause in some cases I need to delete specific user's session (for example this user has been banned and I want to log out him immediately) and it's quite simple to do it with new column (user_id). I would appreciate any tip if there's another way to do it better.

Cheers
Reply
#6

If you just delete the session(s) associated with the user ID from the database, it doesn't necessarily log the user out, and it potentially wastes resources on your server if the user is active and attempts to read the session data. You may find that you can't delete the session data because the session library has a lock in place, or, when the user does something which causes the server to attempt to read the data, the server may encounter an error or regenerate the session.

The whole point of a "remember me" feature is to allow the user to stay logged in longer than would be permitted by a session, so the absence of session data should not indicate anything in particular about whether the user can be authenticated.

When the user attempts to login (or is automatically logged in) the system should check whether the user has been banned (or any other status which would prevent a successful login). If the user logs out, the data related to the "remember me" feature should be removed (usually a cookie and some identifier in the database) and the user's session should be destroyed.

If the user is banned while they are active on the site, it isn't really a matter for the Authentication mechanism of your site to deal with. The best you could do as part of the Authentication mechanism would be to check whether the user is banned on each request and force a logout.

Otherwise, you're dealing with Authorization, which is related, but generally should be separate from Authentication. Authentication tells you whether the user is who they claim to be. Authorization tells you whether the user can perform a specific action. Generally, a banned user shouldn't be authorized to do anything, so being Authenticated as a banned user could potentially be worse than being logged out.

When the user attempts to create/read/update/delete some data, the system should check whether they are authorized to do so. Initially, you might not need any more authorization than "the user is authenticated and not banned". In the long term, though, there are any number of authorization systems which can be built, including role and permission systems.
Reply
#7

I labored under the impression that I should create my own authentication library for a very long time before I realized that it is far more complex than it might seem at first. Even if my system worked, and seemed secure, it was only after quite some time that I realised it was not. This is not anything to do with CI, it is to do with online security. I now use 'ion auth', and it has been excellent. There is a learning curve, but it is a very well written library with tons of useful (and difficult to implement yourself) features including remember me.

https://github.com/benedmunds/CodeIgniter-Ion-Auth

It is a great experience to write your own. But I would strongly recommend that you leave the authorisation and authentication to people that are, if not expert, certainly well versed, in site security. And unlike other frameworks, CI allows you to choose and implement any system that you want.

Best wishes,

Paul.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB