Login

04-05-2010, 10:30 PM

[eluser]Buso[/eluser]
What does 'sess_match_useragent' exactly do?

I thought it would destroy the session if the useragent was different and create a new one (which is what I want), but it seems that's not how it works. Any ideas on how can I make that happen? I want unique sessions, eg: if someone is logged in, and then his ip or useragent changes, the session gets updated/regenerated, so he can't be logged in with different browsers/ips at the same time.

This is what the userguide says 'sess_match_useragent: Whether to match the User Agent when reading the session data'.

04-05-2010, 10:58 PM

[eluser]bretticus[/eluser]
How are you testing? I haven't used this but it seems obvious that this feature is for preventing session cookies from being replayed from another browser/device. It would seem to be an obvious security feature. Are you using Tamperdata plugin or another way to modify the http headers being sent to the website?

Even so, matching sessions on ip or anything else is as easy as storing the ip/user agent as part of the session data and testing it each time. However, it's not a great idea. Even the CI manual warns on using the IP feature:

Quote:Whether to match the user's IP address when reading the session data. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to FALSE.

That means if you have users coming via a proxy array of servers, they may have several IP's (unknown to them.)