CodeIgniter Session Problems Thread

[eluser]bikuta[/eluser]
Hi,

I have a weird problem and I don't know if it has something to do with the computer itself or if it's how I've implemented the authentication.
I'm using CI 1.7.2 using the built in session class and it all works fine for the majority of users, except one user who can't seem to keep his session alive.
He's on Win XP and tried both Chrome and IE7.

So basically he logs in and as soon as it redirects him to the home page, it logs him out.
I can see that the session info is being created in the sessions table, but Chrome and IE7 can't seem to authenticate against it.

So eventually we tried Firefox on his machine and it works!

So does anyone have any idea, why it's not working for Chrome and IE7?

[eluser]WanWizard[/eluser]
And the 'majority of users' don't have problems with IE7 or Chrome? Or do they all use other browsers?

[eluser]bikuta[/eluser]
He's the only one that's got the issue. I've tried to use Chrome and IE7 (VM fusion) on my mac and the site auth works fine.

[eluser]cogitsolutions[/eluser]
was facing same problem of session with IE 8. Many threads suggested for underscore, timezone difference. Real problem is timezone difference. CI creates cookie with server time and IE checks expiry related to client timezone. And here issues comes. You can not change time zone of online server to match clients from all over world. The better solution is change cookie / session expiry time. By default it is two hours. Change it to 24 hours and problem will be solved.

In config.php file change value of following variable

from two hours

$config[‘sess_expiration’] = 7200;

to 24 hours

$config[‘sess_expiration’] = 3600 * 24;

check http://www.cogitsolutions.com/blog/2011/...n-problem/

[eluser]jedd[/eluser]
[quote author="cogitsolutions" date="1307129788"]By default it is two hours. Change it to 24 hours and problem will be solved.[/quote]

While this will probably solve the problem, it's not ideal. I don't know of any other actual solutions to the problem though.

FWIW, the two extreme time zones on Earth differ by 26 hours, but I doubt you are likely to have a server in one and a client in the other.

[eluser]WanWizard[/eluser]
The timestamp of a cookie in the headers is specified in GMT, which browsers convert to local time before verification.

The problem here is that CI allows you to define the time as either server- or gmt time in your configuration (which is ok), but the session library uses this value to determine the value of now (not ok!). So if you have set your config to local time, and the difference between your local time and GMT is 6 hours, your session cookie timestamp will be 6 hours off.

This needs to be fixed in the session library (always use GMT for the cookie expiry timestamp). This is a know issue for ages, but apparently nobody has fixed it yet, since it's still present in reactor.

[eluser]cogitsolutions[/eluser]
[quote author="jedd" date="1307130289"]
While this will probably solve the problem, it's not ideal. I don't know of any other actual solutions to the problem though.

FWIW, the two extreme time zones on Earth differ by 26 hours, but I doubt you are likely to have a server in one and a client in the other.[/quote]

I know this is not idea but as I see this is only solution without editing core files. In config there is option to close session when browser is closed. We can set that to make it more secure. I did not try that whether it actually works or not but seems it should work.

thanks for time zone info. One should change it from 24 to 26 but mostly that may not required because most of the servers are US based. Also most of the site are targeted for specific territory only.

[eluser]WanWizard[/eluser]
It should indeed be fixed by Ellislab or the reactor team.

This bug has been there for years, but appearantly hasn't bothered anyone enough to complain about it...

[eluser]Pakm@n[/eluser]
[quote author="Jonathan Angel" date="1259873112"]For those looking for a fix, I have resolved my problem:

I took a few minutes to diagnose the same problems described with CI Sessions and DX Auth.

First, I synchronized both server and client time (both where wrong). Temporarily the problem subsided; however, it mysteriously stopped storing the session. So.. I checked the database and no session or login attempt was being recorded.

Second, I began reading this and other discussions and found that by removing the underscore (_) in the CI config.php file, the problem was resolved.

Original:

Code:

$config['sess_cookie_name'] = 'ci_session';

Modification:

Code:

$config['sess_cookie_name'] = 'cisession';

I no longer have a problem with sessions in IE8 on WinXP.

For those that attempt to resolve their problem using these methods, please post your results, good or bad. By the way... uber-fan of CI.[/quote]



I tried this and it worked im using a windows 7 with IE8.
It's incredible how many people still use that piece of crap.
Thanks for your help :lol:

[eluser]CroNiX[/eluser]
I've proposed removing the underscore in the core via a pull request and it was rejected by Derek Jones himself stating that an underscore is valid in cookie names. So, it's not likely to get fixed, even though it solves many peoples problems, 'valid' or not.