• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Native_session not working correctly


i'm getting crazy with this session library:


it is working, but sometimes when a user is inactive for some minutes and he refreshes the page, he appears to be logged in as another user.
i'm using email addresses as usernames, and when this problem occurs the new username is truncated near the end

i'll try to explain it better:

> user logged in as [email protected]
> user gets inactive
> user is active again, but now logged in as [email protected]

here is my session library: CLICK

first i was using CI 1.5.1 with UserAuth from this thread: http://ellislab.com/forums/viewthread/45880/
after the problem occured i tried to use native_session from the wiki
i renamed CI_Session to CI_Native_session, to stay compatible with the rest of the code, because i use native_session->flashdata a lot

$config['sess_expiration'] = 7200;

login validation on every page:
if (!$this->userauth->check('',TRUE) || !$this->userauth->loggedin()) redirect('users/login');

admin area:
        if (!$this->userauth->check('', TRUE)) {

i've just had users who were logged in as admin after this bug occured, and i don't know where the problem could be Sad

please, help me!

Is he logged OUT or logged in as another user. There has been some issues with saving data in specific cases, because of the 'session_write_close()' at the end of the session run, but I've never heard of it using another session suddenly - it seems to be an issue with your design, not the library.

at once he is logged in as another user, and can act as that user with that users permissions
what could be wrong with my design? the only thing i do with the session is logging in, and checking the login state as posted above %(

omg, i found some mistakes in my web app:
first of all, the username database field of the remember_me lib was limited to 16 characters, thats because usernames (in my case the email addresses) were truncated when they were idle !

and in the userauth lib, line 176

// Expire an inactive login
if ( $this->obj->native_session->userdata('loggedin') ) {
    $expire_time = time() - $this->obj->config->item('login_expiration');
    if ( $this->obj->native_session->userdata('last_activity') <=  $expire_time) {
        log_message('debug', "Userauth: check: inactive login, expired");

the config value "login_expiration" was not defined in the config (it also doesnt exist in the original userauth package)
i changed it to session_expiration

i also switched over to db_session

i hope that this all solves the problem Smile

the problem still exists, users get sessions of other users (different ips/browsers, ip/browser check enabled in db_session class)

same problem as reported in this post: http://ellislab.com/forums/viewthread/45...70/#224590

i think i had something silly in my database like a user without email or username, so first time visitors without a cookie ended up logged in as that user

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.