CI_Session Variable crossover in IE8

[eluser]kheiron[/eluser]
Hi Guys, I never come across this problem before, searched through the forums and still nothing.

I have just launched a website with a custom CMS and its sitting at the host. The customer has an internal network sitting behind a firewall and a proxy server. A user1 can successfully log into the CMS with IE8, when user2 inside the network accesses the site (different computer), they get access to the CMS showing they are logged in as user1.

another case - user1 logs in, user2 logs in(different machine), on a refresh user1 on his screen gets "You are logged in as user2" and the reverse is true for user2.

for some reason this only happens within their network and when they use IE8
Can CI_Session confuse session Variables between different machines at the proxy server
can somebody please help in this regard

Thank you in advance

[eluser]WanWizard[/eluser]
The session key (which is used to retrieve the session record) is stored in a cookie client-side. So this shouldn't happen, this means that both browsers receive the same session cookie. Can you check that this is the case. If the session cookies are different, their might be an issue with your code.

I've tested this here with one of my sites, behind a Bluecoat and a Squid proxy, but I can't reproduce this fenomenon.

[eluser]kheiron[/eluser]
I have tried to use the most basic and simple approach

below is my authentication code
=================================
function login()
{
$login = $this->User_model->login();
if ($login != null)
{
$id = $login->id;
$name = $login->name;
$surname = $login->surname;
$type = $login->type;

$newdata = array(
'user_id' => $id,
'name' => $name,
'surname' => $surname,
'type' => $type
);
$this->session->set_userdata($newdata);
$this->Log_model->insert_a_log($id,$name." ".$surname." successfully logged in");
if($type == 3 || $type == 4)
{
redirect('admin/home');
}
else{
redirect('department/requests');
}
} else {
$data['message'] = "<p align='center' class='emsg'>Invalid Log in Credentials </p>";
$this->load->view('authenticate/login',$data);
}
}

==============================================

How would I check the session cookie variables. I used f12 to invoke the IE8 developer tools. What I find weird is this only happens within their network, also that might be of interest is that my customer is using windows server 2000 as a proxy server.

Please forgive the pasted code, Im new in the forums

[eluser]WanWizard[/eluser]
Do a

Code:

var_dump($this->session->userdata);

in your code, and check the value of 'session_id'. This should be unique for all browser sessions.

[eluser]kheiron[/eluser]
Thank you for that - what you recommended returned NULL, so I did
a

Code:

var_dump($this->session->userdata('session_id'));

I Have seen that the session_ids are different as expected.

[eluser]WanWizard[/eluser]
You might have a bigger issue.

Session data is stored in the session library in the array $userdata. The userdata() method simply returns an element of this array.

If a dump of the entire array returns NULL, but the method returns the correct value (at the same point in the code), then I wonder what kind of session implementation the application has, because this is clearly not standard CI bahaviour.

[eluser]kheiron[/eluser]
Ohh, When I did it the first time I had forgotten that I had decided to use the Native Session Library which was having a problem with that line of code, I have since reverted back to the CI_Session class and Im still getting the same effect, the session_ids are different for different machines.

[eluser]WanWizard[/eluser]
I understand that, I was interested in the rest of the session record.

Your session ID's are different, which would indicate that the session library works as advertised. Which leaves me to wonder how you store the user logged on state...

Did you check the contents of the sessions table, to see if there are any anomalies in the record content?

[eluser]kheiron[/eluser]
I do not know the significance of this, but I have realized that (on the dev environment) if the page is inactive for about 5 mins, on a refresh the session ID has changed. is this normal in CI or is there a problem with my code. only the session_id changes and the last activity value, which makes sense. I just dont understand why the session_id should

[eluser]kheiron[/eluser]
The logged on state is kept in the session variables, I don't store them in the database