Login

kft101 · 01-23-2023, 09:59 AM

Hello. We are using CI3 and using a MySQL database for our sessions. We have "$config['sess_match_ip'] = false;" set in our config.php file, and have confirmed this config variable value via the "$this->config->item('sess_match_ip')" check. The database table to store sessions only has the "id" as a primary key (so "ip_address" is not factored into the session key). With this, our site still acts as if it's considering IP address when checking for a valid session, as users that have a rotating IP address get our "session timeout" screen after they have logged in and click through pages. We have confirmed this with several different users that see their IP addresses change when they check. We've added logging to the framework's Session.php and Session_database_driver.php files that reference the "sess_match_ip" or "match_ip" parameters, but none seem to be firing when they should not be. Anything else we can check or debug to figure this out? Thanks.

**InsiteFX** · 01-24-2023, 01:42 AM

Are you on a CloudFare server?

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

kft101 · 01-24-2023, 11:09 AM

(01-24-2023, 01:42 AM)InsiteFX Wrote: Are you on a CloudFare server?

@InsiteFX No, we are on a Rackspace server (behind a load balancer) running CentOS 7.

Thanks.

**InsiteFX** · 01-25-2023, 12:43 AM

I just looked the source code and it says this about the Match IP.

PHP Code:
/**
    * Whether to match the user's IP address when reading the session data.
    *
    * WARNING: If you're using the database driver, don't forget to update
    * your session table's PRIMARY KEY when changing this setting.
    *
    * @var bool
    */
    protected $sessionMatchIP = false; 

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

kft101 · 01-25-2023, 01:33 PM

@InsiteFX The "$sessionMatchIP" variable is a CI4 config variable. We are using CI3, but are setting the version correct "sess_match_ip" config variable appropriately to false, per the original post.

**InsiteFX** · 01-26-2023, 01:01 AM

PHP Code:
'sess_match_ip'
|
| Whether to match the user's IP address when reading the session data.
|
| WARNING: If you're using the database driver, don't forget to update
|         your session table's PRIMARY KEY when changing this setting.


For MySQL:

CREATE TABLE IF NOT EXISTS `ci_sessions` (
        `id` varchar(128) NOT NULL,
        `ip_address` varchar(45) NOT NULL,
        `timestamp` int(10) unsigned DEFAULT 0 NOT NULL,
        `data` blob NOT NULL,
        KEY `ci_sessions_timestamp` (`timestamp`)
);



You will also need to add a PRIMARY KEY depending on your ‘sess_match_ip’ setting.
The examples below work both on MySQL and PostgreSQL:

// When sess_match_ip = TRUE
ALTER TABLE ci_sessions ADD PRIMARY KEY (id, ip_address);

// When sess_match_ip = FALSE
ALTER TABLE ci_sessions ADD PRIMARY KEY (id);

// To drop a previously created primary key (use when changing the setting)
ALTER TABLE ci_sessions DROP PRIMARY KEY; 

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

superior · 01-26-2023, 01:06 AM

(01-25-2023, 01:33 PM)kft101 Wrote: @InsiteFX The "$sessionMatchIP" variable is a CI4 config variable. We are using CI3, but are setting the version correct "sess_match_ip" config variable appropriately to false, per the original post.

application/config/config.php

PHP Code:
/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy
| IP addresses from which CodeIgniter should trust headers such as
| HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP in order to properly identify
| the visitor's IP address.
|
| You can use both an array or a comma-separated list of proxy addresses,
| as well as specifying whole subnets. Here are a few examples:
|
| Comma-separated: '10.0.1.200,192.168.5.0/24'
| Array: array('10.0.1.200', '192.168.5.0/24')
*/
$config['proxy_ips'] = ''; 

kft101 · 01-26-2023, 10:56 AM

@InsiteFX @superior

Thanks for the responses. But per the original post, we already have the "sess_match_ip" config variable set to false, the ci_sessions database table created and indexed ONLY on the id. Our website and sessions are working fine for almost all users, except for the ones that have a rotating/dynamic IP address. Our current configuration SHOULD prevent the checking of IP address against the sessions, yet these users are still seeing the session expired message when they click through the pages, which indicate that CI3 is still checking the IP address when retrieving sessions.

We are not using a reverse proxy.

Anything else we can check?

Thank you.

***kenjis*** · 01-26-2023, 07:37 PM

What is our "session timeout" screen?
Can you show it?

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

kft101 · 01-30-2023, 01:20 PM

@kenjis Hi. Our "session timeout" screen is just the page our site shows when it cannot get a valid session for the current user. It's just a result of the original issue.