session mixup!

[eluser]Isos[/eluser]
Hi,

I am facing a strange and big problem.

I have an application with many roles (groups), one role have lots of users from all around the world, and around 900 from Kenya. I received lots of reports from the Kenyans in particular that when they login they would find different information that belong to many different people. So one might login and find another person's info, he logs out and logs in again and find another one different from the previous!

I am really confused. The application works so well with other roles which utilize common scripts in an extended class that validates sessions and everything! I even created a cookie to force more validation that when a user logs in and his username and password are validated his userid that is fetched from the db is registered in a cookie as well as in the session. So in every page there will be a validation to check if the userid in the session is the same as in the cookie, otherwise the session would be destroyed to force logout!

I thought this could be because of the session ID being tackeled through the same ISP that users maybe using or a certain IP or something. I am not that expert in protocols and how these things behave, but I am more confident it's a bug in the CI session library and related to the table!

Please advice, what could this be?

Thanks.

[eluser]Isos[/eluser]
For more info, this is my config cookie and session section:

Code:

$config['sess_cookie_name']    = 'ci_session';
$config['sess_expiration']    = 0;
$config['sess_encrypt_cookie']    = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']    = 'ci_sessions';
$config['sess_match_ip']    = FALSE;
$config['sess_match_useragent']    = FALSE;
$config['sess_time_to_update']     = (60*60*24*30); // I had to set this to never update because of a problem with more than 1 ajax requests runnig simultaneous at the time of update just to prevent session destruction .. but my problem happened even before I did this.


$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']        = "/";

I use PHP 5.2.5
CI 1.7.0
Apache 2

below is the code that validates username and password:

Code:

function trylogin($login, $password, $session = true){

        $this->session->set_userdata('last_activity', time());

        if($login != '' && $password != ''){
            $site_id = $this->config->item('this_site_id');
            if(strlen($password) != 40) $password = sha1($password);
            if ($this->user_group->testLogin($login, $password, $site_id) == TRUE ) {
                $userInfo = $this->user_group->getSystemUserInfo($login,$site_id);
                $getUserId = $userInfo->userid;
                $username = $userInfo->username;
                $this->user_group->dateStampLogin($username);
                $userTimeZone = $userInfo->timezone;
                $fullname = $userInfo->fullname;
                $user_email = $userInfo->email;
                $user_site_id = $userInfo->site_id;
                $sessdata = array( 'username' => $username, 'userid' => $getUserId, 'loggedin' => TRUE , 'timezone' => $userTimeZone);
                $sessdata['email'] = $user_email;
                $sessdata['fullname'] = $fullname;
                $sessdata['siteid'] = $user_site_id;
                $sessdata['role'] = $this->user_group->getusergroupname($getUserId);
                setcookie(md5($sessdata['role']), md5($getUserId),0,"/");  // Role is the group name of the user
                $this->session->set_userdata($sessdata);
                if($session == false){
                    return $sessdata;
                }
                return TRUE;
            }
        } else {
            return FALSE;
        }
    }

Now in the common class that each controller extend I run this:

Code:

if(isset($_COOKIE[md5($this->role)]) && $_COOKIE[md5($this->role)] != md5($this->session->userdata('userid')) ) {
            $this->session->sess_destroy();
       }

hope these info will help.