• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CI session expires rapidly

#1
[eluser]herrmoinsen[/eluser]
Hi all,

I'm using the CI sessionID to store some temporary ajax data in my sql-database.

Though the $config['sess_expiration'] is set to 7200, I unfortunately get a new sessionID every … more or less 4min.

Any suggestions what might cause this?

Thanks
herrmoinsen

#2
[eluser]JHackamack[/eluser]
Have you checked your servers configuration for server session timeout?

#3
[eluser]brianw1975[/eluser]
Also check the timezone and time on your server.

IIRC there is a minor quirk in Magento to where if the timezone of the server was set differently of the settings of Magento it would kill the Session really fast or straight out expire it immediately.

#4
[eluser]aidehua[/eluser]
In your config file look at this line:

Code:
$config['sess_time_to_update']     = 300;

300 seconds (5 minutes) is the default. See the user guide at
http://ellislab.com/codeigniter/user-gui...sions.html.

Quote:A session, as far as CodeIgniter is concerned, is simply an array containing the following information:

The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes)

The rest of the session data is maintained, but the sessionID is, by design, regenerated every five minutes. I think that is why you are seeing your sessionID changing "more or less every 4 minutes" ;-)

#5
[eluser]herrmoinsen[/eluser]
Thanks! THIS IS IT ;-)
Might a change to (as well) 7200 seconds cause any security issues?

#6
[eluser]aidehua[/eluser]
I think there are good reasons for the session id being regenerated regularly. Derek Allard explains it a bit here, and refers you to this Wikipedia article.

So in general, latching onto the session id as a form of long-term persistent identification is probably not the best way to go.

You could generate your own random number, though, and store it in the session user_data. That would persist for your full 7200 seconds, and then you could leave

Code:
$config['sess_time_to_update'] = 300;

in place for security.

Here's one way to do it (there may be others / better):

Code:
//Create a unique random token
$this->load->helper('string');
$token = random_string('unique') . random_string('unique');

//Add token to session user_data
$session_data = array( 'token' => $token );
$this->session->set_userdata($session_data);

//Then when you want to read the session user_data
$token = $this->session->userdata('token');

#7
[eluser]joao.sobrinho[/eluser]
In my aplication I'm having the same type of problem...

After the 5 minutes, (or whatever time I put in $config['sess_time_to_update'] ) the session expires and the user is redirected to login screen.

Somehow, it seems that when it regenerates, it's loosing the previous session and the previous session data.

I have these configurations in the config.php file:


Code:
$config['sess_cookie_name']    = 'ci_session';
$config['sess_expiration']    = 7200;
$config['sess_encrypt_cookie']    = FALSE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']    = 'ci_sessions';
$config['sess_match_ip']    = TRUE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']  = 300;

How can I make the session to keep the data for 2 hours after the last request from the user ?

#8
[eluser]joao.sobrinho[/eluser]
I've been checking and this only happens when I use the database.

I think it is a bug from the SESSION Class that does not get the previous data from the session.

#9
[eluser]joao.sobrinho[/eluser]
Hi again.

I've come closer to the center of my problem, once again...

I've 6 CI instalations in the following organization:

1 base CI to control logins, passwords change, etc.
other 5 CI's inside of that one where I redirect each user depending on his role in the application.

So I get:

base app:

localhost/base_app

other apps:

localhost/base_app/app1
localhost/base_app/app2
etc

The problem is that the session is created in the base_app. When is that app updating it, it 's all ok!

But when it is the other apps that try to update the session data, it simply looses the session data and comes back to the login screen.


Anyone can help me solving this ? I've been for 2 days searching for this but with no result... the users keep complaining that they are loosing the login just after some clicks...

#10
[eluser]joao.sobrinho[/eluser]
the problem continues... sometimes, the session randomly expires and looses the user data... can anyone help me on this ?


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.