• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
authentication session id

#1
[eluser]Xavier D.[/eluser]
Hi,

I have an authentication class, what is comparing the stored session id in the database with the session id from the userdata session cookie.

Works fine, but when the session id is changing, the user is logged out.

I made a change to the time to update 3600, but it is still not fullproof.

Is there a way that the session id stays during exploring the site, it is a big site, whit chat and everything, so people can spend a lot of time there and it is not very usefull if they logout after 1 hour.



config['sess_match_ip'] = FALSE; -> maybe set to true (extra security?)
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 3600;

#2
[eluser]Xavier D.[/eluser]
next step

i've created an extra table ci_sessions like mentioned in the userguide.

$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;

sess_expiration = 7200sec (2 hours) if someone stays longer then 2 hours, he logged out ...
not good, because I think, the session_id expiration, needs to restart after every click on the website.

Other thing, when loggin out, manuel or by expiration, the ci_sessions table creates a new row, what can become very missy is you have 1K or more users ...

Do I need to manuel delete the rows?

Also, user_id is not stored in the sessions database, seems to be needed if you want to authentication and return the user_id.

I tried to set expiration and time to update to 5 sec. logging out after 5 sec.
only time to update on 5 seconds, ci creates new session id every 5 seconds.

It is nog clear for me ... is this a bug?

thx for your help!

#3
[eluser]Xavier D.[/eluser]
$config['sess_expiration'] = 0;
$config['sess_time_to_update'] = FALSE;

My solutions, keep session persistent and store the session_id in the users database, before you ask for users details, you do a check if the user_id and session_id are corresponding to each other.

true -> returns user_id
false -> returns 0 and user gets logged out.

seems like the only solution.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.