[eluser]Las3r[/eluser]
Hi there,
I posted a message in the wrong boards earlier, so here I am in the bugs forum after spending hours and hours of error-and-trial without any results whatsoever. I've created a small cms before (manual php code) and have a lot of experience with sessions, so this is my last hope in finding an answer.
My problem is rather simple:
I autoload the session library in the autoload.php, meaning it should work throughout every piece of code I am writing. Simply said; I have a login form that's being validated. After that I'm writing the username,password in a session, as following:
Code:
if ($this->userlogin_functions->check_user($username,$password) == FALSE)
{
// Wrong user + pass combination was found - relog message
echo 'wrong user / pass';
redirect('/login', 'location', 301);
}
else
{
// Successfull login - time for sessions!
echo 'logged in';
$md5pass = $this->userlogin_functions->get_fn_md5_pass($username);
$sessioninfo = array(
'session_username' => $username,
'session_password' => $md5pass
);
$this->session->set_userdata($sessioninfo);
$session_id = $this->session->userdata('session_id');
$session_username = $this->session->userdata('session_username');
$session_password = $this->session->userdata('session_password');
echo '<br />session_id: '.$session_id.'<br /> username in session: '.$session_username.'.<br />password: '.$session_password;
echo '<br />link: <a href="/userpage">click</a>';
}
After this piece of code it succesfully shows me the session ID , username i logged in with, and the password md5ized with our own native SQL 2005 .dll.
<b>So far, so good.</b>
Then the userpage - the 'members' page, that should only be viewable by a logged in user:
Code:
<?php
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Userpage extends Controller {
function Userpage()
{
parent::Controller();
}
function index()
{
$this->load->helper(array('url'));
$this->load->model('userlogin_functions');
if ($this->userlogin_functions->verify_session() == FALSE)
{ echo 'no session found!';}
else
{ echo 'you are verified and logged in';}
}
}
It calls the <b>verify_session function</b>, as below:
Code:
function verify_session()
{
$session_id = $this->session->userdata('session_id');
$session_username = $this->session->userdata('session_username');
$session_password = $this->session->userdata('session_password');
if (($session_username == FALSE) OR ($session_password == FALSE))
{
echo 'session id: '.$session_id;
echo 'session username: '.$session_username;
echo 'session_password: '.$session_password;
}
else
{
$checkcreds = 'SELECT * FROM MEMB_INFO WHERE memb___id =? AND memb__pwd = [dbo].[fn_md5](?,?)';
$db1 = $this->load->database('accounts', TRUE);
$verifysess= $db1->query($checkcreds,array($session_username,$session_password,$session_username));
return ($verifysess->num_rows() != 0)?TRUE:FALSE;
}
}
The funny thing is that if i go to this page (userpage.php linked from the "loginsuccess-page"), it gives me "no session found!". I added some debug-echo's in order to print the session_id, username and password to screen, <b>however the session_id is DIFFERENT than what it was on the login page</b>.
There is no longer any user information (username,password) stored, as this is a whole new session (or so it seems), and I'm being pushed into googling and wiki-ing for a solution. I've seen a lot of posts for database-sessions, but i'm not using this, and this is not my concern as well.
I have error-n-trialed:
- Hosting on my home dev box (Windows 7 x64 - latest WAMP)
- Hosting on my production server (red hat enterprise linux - latest apache stable)
- Changing session loading. Tried both autoload and manual load in all controllers
- 4 different browsers on 2 different pcs
- setting 'sess_time_to_update' to 0 (indeed renews sessions every second) and to 7200 (same effect as 300 (default)).
I'm using latest CI (clean copy), without any modifications or any custom stuff whatsoever - i just got started.
The settings for the sessions can be found below:
Code:
$config['sess_cookie_name'] = 'iat_web_sess';
$config['sess_expiration'] = 7200;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = FALSE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 72000;
In my view, the session data should live on for the amount of time specified, and just carry the info with it as long as it takes (unless you use flashdata), and this does NOT happen with CI, not in my site , anyway.
I coded a custom piece of php (non-CI , no framework used) that basically uses the same login script, but in lengthy php, using the same queries, the same session vars, and everything, and it worked as it should, so i have no other thing to say than that this is either a bug, or a severe misconception from my point of view.
Any help or clearing up would be appreciated.
Thank you.