IE browser not terminating session even after logging out?

[eluser]WanWizard[/eluser]
I'm not sure I can help you. There was an other thread recently with exactly the same problem, and we weren't able to fix it then.

You say you're using database sessions. Which means all userdata is stored in the session table, and a cookie is sent to the client with only the fields needed to identify the session. There is no userdata in this cookie. A sess_destroy() deletes the session record from the table, and by doing that it deletes all userdata that belongs to that session. This is proven during your debug session, the table is empty.

This in itself is weird, because when you use sessions you always have a session record, it is created in the constructor of the session library. It looks like you don't load the session library on every page request.
It also looks like you have a mixed environment of database and cookie sessions for some reason. Because somewhere a cookie is created that does contain userdata.

Then user2 logs in. The login is valid, a new session record is created, and it correctly contains the userdata of user2. However, $this->session contains the previous session record (not only userdata, but also the old session_id). This is strange, and could only happen with you use the session library without a database, in which case the userdata is stored in the cookie as well.

Where exactly do you load the session library? And which configuration do you use for the session library? Why is it sometimes active, and sometimes not? Why does it sometimes create a cookie, and sometimes use the database?

[eluser]novice32[/eluser]
See below for settings in autoload.php and config.php. Let me know if I incorrectly configured them. Also, why do you say session library "sometimes active, and sometimes not"?

Code:

/*** autoload.php **/
$autoload['libraries'] = array('database', 'session','form_validation');

/*** config.php ***/

$config['sess_cookie_name']        = 'ci_session';
$config['sess_expiration']        = 14400;
$config['sess_encrypt_cookie']    = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']        = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']     = 14400;


$config['cookie_prefix']    = "mydomain";
$config['cookie_domain']    = "";
$config['cookie_path']        = "/";

....

$config['time_reference'] = 'local';

[eluser]WanWizard[/eluser]
I don't see an immediate error in that config. The only obvious difference with my setup is I have a cookie_name without underscore, and no cookie_prefix defined.

What I mean with sometimes active, sometimes not, is related to your debug information posted above. I assumed that you checked your database table 'ci_sessions' every time after a page load had finished.

You load the session library using autoload, so it should always be loaded. Right? The session library, in the constructor, checks if a valid session exists, and if not, creates one. So after a page load, any page, a session record should exist for your current session. Yet, you say that after you logged out, you were redirected to user/login, and NO session record existed. This baffles me.

I've currently doing some tests here, with a sess_destroy() call after logout which I don't use (I want to retain session information related to the user, so I delete logged-in session information only when a user logs out).

Funny thing is that I can sometimes reproduce this issue, even with Firefox! I've been loggin' in and out for the last 15 minutes, and on some logins I get userdata back while I am sure the session record is deleted!

I'll try to figure out what this is causing...

edit: sorry, my bad. some error causing another cookie not to be erased. So still clueless...

[eluser]WanWizard[/eluser]
Nope, sorry, I can't reproduce it here.

I suggest you add some debugging to the session library, using log_message(), and use something you can easy filter out from the rest.
Add a log_message at the beginning of every method, after every assignment to $this->userdata (add 'serialize($this->userdata)' to the logmessage so you know what has been assigned or erased), and before deleting a session record.

Then recreate your problem, and try to find something wrong with the sequence of calls in the log. If you want me to have a look at your (filtered) log, send it to me via PM.

[eluser]Bart v B[/eluser]
And what if you revalidate your header?

try this in youre controller:

Code:

<?php
function __construct() {
        
   parent::Controller();
  
   $this->output->set_header('Last-Modified: ' . gmdate("D, d M Y H:i:s") . ' GMT');
   $this->output->set_header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
   $this->output->set_header('Pragma: no-cache');
   $this->output->set_header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
}
?>

[eluser]novice32[/eluser]
Yes!!!! I found the issue. Cached data (from IE browser) is being returned. The "myapp" view is includes an Adobe flex application, which when loads, calls a controller to get the user who's logged in (it calls controller profile, methods GetUser). If I directly access method GetUser, it shows the cached data, and when I refresh, it shows the correct session information.

I also used DebugBar v5.4.1 for IE and confirmed the issue.

When USER1 logs in:

Request start time: Mon, 17 May 2010 21:59:26
Connecting time: Already connected (Keepalive: using existing socket)
Headers exchange time: 85 ms
Data transmission time: 0 ms

When USER2 logs in:

Request start time: Mon, 17 May 2010 21:59:47
All request retrieved from cache (no server request)

Bart v B:

I added your set_header but it still returns cached data. Maybe I need to pass a "random" parameter value when I call profile/GetUser, such as profile/GetUser?CurrentTime()

Let me know if you have any other tips.

WanWizard thanks for all your help!!

CI rocks!!

[eluser]novice32[/eluser]
Issue has been resolved. Close thread. In ActionScript, I appended a random number to the method (profile/GetUser/rand_number). This forced silly IE browser not to return cached data.

Bart v B, I couldn't get your set_header to work.

[eluser]ladooboy[/eluser]
Hello !

I've got the same problem in IE using CI session library.

When I logout, I can still access the member page as IE caches the details and therefore everytime I refresh it shows me it's logged in(although the data was deleted from DB).

When I clear out the cache(NOT cookie) then it shows me that I am logged of.

Is there any other solution than using Action Script ?

[eluser]WanWizard[/eluser]
Which details are cached? Where?

No matter what I try here, I can't reproduce it. Even if I log out and then use the back button to go to a 'member' page, as soon as I refresh or click on any link the site redirects me to the login page.

To rule out anything local (p.e. an IE setting or proxy issues), to you try to reproduce it on my demo site?

[eluser]ladooboy[/eluser]
Hi !

I've just changed to Hybrid Session and everything seems to work now. Must have been a problem with the CI Session as logout works now in IE as well.
Basically the session was cached(email, session_id, user_agent, Everything !). So the site thought that I am still logged in although I was not actually!


If you provide me some login details for your ExiteCMS site, I can try to login and see if I can recreate the problem on the site.