• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Solution to session data loss when using AJAX

#21
[eluser]Peter Ivanov[/eluser]
[quote author="vickel" date="1295549885"]Is there anybody who could make session2.0 work on CI 1.7.3.; I couldn't ...[/quote]


Any news?

#22
[eluser]Chillahan[/eluser]
Guys, I too am confused by this. Some questions:

a) The initial fix here would fix the race condition, right, because as long as they're all AJAX requests that are racing one another, then the session will never update the id, and all will be good. So I am confused why this does not work for slowgary (unless his issue is with regular requests racing, not just AJAX).

b) I experimented with CSRF library (see post URL below). There, it implicitly trusts cookie if set, and does not regenerate key. But once the cookie expires, there is still a problem.

http://ellislab.com/forums/viewthread/189915/

c) To expand on above, I don't get WHY there is a problem (with CSRF or with Session), because when I set my own cookie, I can see it being created in the browser's cookie list in real-time! I.e., I fire an AJAX request, the controller sets a cookie using the cookie helper (which is same as input setter), and I see the cookie appear, and all this is while the JavaScript is timing out for 10 seconds so that I can be sure nothing else happens before cookie appears.

To me it seems there must be some underlying way the cookie is being set by CI in the Session and CSRF that is somehow different, or something in the order of preparation of the return, but I haven't looked into it and cannot imagine what would differ. But doesn't it seem that both the Session and CSRF issues could be fixed with AJAX if the underlying code in each simply set the cookie in a way that works like the way it works when I set it manually during an AJAX request?

Or are there differences in cookie availability during AJAX requests among browsers/platforms that make the setting of a cookie during such request unreliable as a whole, and thus a nonstarter?

#23
[eluser]InsiteFX[/eluser]
The CSRF cookie has an exprie time of 2 hours and is not setable. The session cookie can expire during AJAX updates or when changing pages, this is why you need to use the below.

The old code should be replaced with this for CI 2.0+!
Code:
<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Session extends CI_Session {

/**
* Update an existing session
*
* @access    public
* @return    void
*/
    public function sess_update()
    {
       // skip the session update if this is an AJAX call!
       if ( ! is_ajax_request())
       {
           parent::sess_update();
       }
    }

}

/* End of file MY_Session.php */
/* Location: ./application/libraries/MY_Session.php */

// the is_ajax_request() is now a method in CI 2.0+ See: system/core/input.php at the bottom.

InsiteFX

#24
[eluser]Chillahan[/eluser]
Good point on the update, no need to declare an ajax request constant when the method is there now.

On the CSRF - if you edit the time value in the security library, you can set it to whatever. I find that when set to 1 second, it causes a lot of problems, apparently it doesn't really handle a constantly changing id too well (even though it does implicitly trust the cookie's value - actually, it is BECAUSE it trusts the cookie's value, but the cookie has since expired, so basically the same problem as for ajax requests).

So my overall questions still stand - why is CI not setting cookies during ajax requests, when I can set a cookie via the set_cookie helper?

And assuming it could, wouldn't that fix all problems with the session and csrf features during ajax requests?

#25
[eluser]InsiteFX[/eluser]
This has been dicussed here many times before, to do it the correct way would require a complete re-write of the Session Class.

InsiteFX

#26
[eluser]Chillahan[/eluser]
Right, but I haven't seen the core reason - is it to do with the way the cookies are written from the Session Class? Or some other overall issue? I am fine using the fix in this thread, just still confused why it can't just set the cookies the way I would manually - I mean, would that be a fix, or am I missing some other problems?

#27
[eluser]Benito[/eluser]
[quote author="InsiteFX" date="1306377211"]The CSRF cookie has an exprie time of 2 hours and is not setable. The session cookie can expire during AJAX updates or when changing pages, this is why you need to use the below.

The old code should be replaced with this for CI 2.0+!
Code:
<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Session extends CI_Session {

/**
* Update an existing session
*
* @access    public
* @return    void
*/
    public function sess_update()
    {
       // skip the session update if this is an AJAX call!
       if ( ! is_ajax_request())
       {
           parent::sess_update();
       }
    }

}

/* End of file MY_Session.php */
/* Location: ./application/libraries/MY_Session.php */

// the is_ajax_request() is now a method in CI 2.0+ See: system/core/input.php at the bottom.

InsiteFX[/quote]

Do you mean?
Code:
if ( ! $this->CI->input->is_ajax_request())

#28
[eluser]Chillahan[/eluser]
Would like a response to my question too - is the basic issue that cookies are not able to be set during AJAX requests?

#29
[eluser]InsiteFX[/eluser]
Code:
<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Session extends CI_Session {

/**
* Update an existing session
*
* @access    public
* @return    void
*/
    public function sess_update()
    {
       $CI = get_instance();

       // skip the session update if this is an AJAX call!
       if ( ! $this->CI->input->is_ajax_request())
       {
           parent::sess_update();
       }
    }

}

/* End of file MY_Session.php */
/* Location: ./application/libraries/MY_Session.php */

// the is_ajax_request() is now a method in CI 2.0+ See: system/core/input.php at the bottom.
The Input Library is loaded by CI.

InsiteFX

#30
[eluser]Chillahan[/eluser]
Insite, do you have any insight on my suggested solution and potential issue (setting cookie via AJAX)? From what I understand, there should be no issue whatsoever setting cookies during ajax calls. So why can't the session class write its session and csrf cookies during ajax calls like during any other? Then there would be no problems whatsoever.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.