• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Session creates new session id on every page load

#61
[eluser]DamonBrooks[/eluser]
I have the same problem, none of the a.m. solutions did work. I would be happy if somebody of Ellislab would take care of the issue, because it seems to be a major problem...

If the problem can not be resolved I'd have to replace Codeigniter...

#62
[eluser]DamonBrooks[/eluser]
Today I did the same things as yesterday, but surprisingly I got different results...

what I did:
- no checking for user-agent
- all MySQL tables set from varchar to text
- remove all characters except a..z from cookie-name (I have a special-char in domain name)

It works now, but I don't know why... that is bad.

#63
[eluser]phanku[/eluser]
I also have this issue.
I have been up and down this thread and tried everything to make this work.
I am planning on using CodeIgniter for a huge project and currently am only doing a small project, before I begin working on the large project, to identify possible issues.
As it stands one issue I have identified is CodeIgniter’s session handler.
Currently I am using a small Linux box that is behind a router that redirects the connections to the Linux box via port forwarding to port 80. I am using a DDYNS to access the box on the port number 8080.
The Apache service on the Linux box listens on port 80.
My CI instance is hosted in a directory of /ci.

Now for sake of ease I will include all the information about my server and settings here.

Config.php:
Code:
$config['base_url'] = '';
$config['sess_cookie_name']  = 'CIPSSSERVER';
$config['sess_expiration']  = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name']  = 'ci_sessions';
$config['sess_match_ip']  = FALSE;
$config['sess_match_useragent'] = FALSE;
$config['sess_time_to_update'] = 7200;

$config['cookie_prefix'] = "";
$config['cookie_domain'] = ".kicks-ass.org";
$config['cookie_path']  = "/ci";
$config['cookie_secure'] = FALSE;

.htaccess file in /ci directory:
Code:
RewriteEngine on
RewriteCond %{REQUEST_URI} !/webdav
RewriteCond $1 !^(index\.php|images)
   RewriteRule ^(.*)$ /ci/index.php/$1 [L]

Apache config:
Code:
<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www
   <Directory />
      Options FollowSymLinks
      AllowOverride None
   </Directory>
   <Directory /var/www/>
      Options -Indexes FollowSymLinks MultiViews
      #AllowOverride All
      AllowOverride FileInfo Limit AuthConfig Options
      #AllowOverride FileInfo
      Order allow,deny
      allow from all
   </Directory>
...
</VirtualHost>

Server Variables on request:
Code:
[REDIRECT_STATUS] => 200
    [HTTP_HOST] => <omitted>.kicks-ass.org:8080
    [HTTP_CONNECTION] => keep-alive
    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
    [HTTP_DNT] => 1
    [HTTP_ACCEPT_ENCODING] => gzip,deflate,sdch
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.8
    [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.3
    [HTTP_COOKIE] => CIPSSSERVER=a:4:{s:10:"session_id";s:32:"6fb2b31c3092c145d261be11f8cf7e7d";s:10:"ip_address";s:14:"<omitted>";s:10:"user_agent";s:108:"Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.31+(KHTML,+like+Gecko)+Chrome/26.0.1410.64+Safari/537.31";s:13:"last_activity";i:1366654078;}c1c63d93529d3562c2fb4eb3e37ff56c
    [PATH] => /usr/local/bin:/usr/bin:/bin
    [SERVER_SIGNATURE] =>
Apache/2.2.22 (Ubuntu) Server at <omitted>.kicks-ass.org Port 8080
    [SERVER_SOFTWARE] => Apache/2.2.22 (Ubuntu)
    [SERVER_NAME] => <omitted>.kicks-ass.org
    [SERVER_ADDR] => 192.168.1.102
    [SERVER_PORT] => 8080
    [REMOTE_ADDR] => <omitted>
    [DOCUMENT_ROOT] => /var/www
    [SERVER_ADMIN] => webmaster@localhost
    [SCRIPT_FILENAME] => /var/www/ci/index.php
    [REMOTE_PORT] => 57533
    [REDIRECT_URL] => /ci/
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] =>
    [REQUEST_URI] => /ci/
    [SCRIPT_NAME] => /ci/index.php
    [PATH_INFO] => /
    [PATH_TRANSLATED] => /var/www/index.php
    [PHP_SELF] => /ci/index.php/
    [REQUEST_TIME] => 1366654079

ci_session table:
Code:
CREATE TABLE IF NOT EXISTS `ci_sessions` (
  `session_id` varchar(100) NOT NULL DEFAULT '0',
  `ip_address` varchar(45) NOT NULL DEFAULT '0',
  `user_agent` varchar(255) NOT NULL,
  `last_activity` int(10) unsigned NOT NULL DEFAULT '0',
  `user_data` text NOT NULL,
  PRIMARY KEY (`session_id`),
  KEY `last_activity_idx` (`last_activity`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

I have omitted parts of the address for security reasons.

As you can see that the client is sending the cookie information and yet CI is not reading it into the session data. It also, on every page refresh, creates a new session.

Any assistance would be very appreciated. Thank you.

#64
[eluser]phanku[/eluser]
[quote author="phanku" date="1366654591"]I also have this issue.
I have been up and down this thread and tried everything to make this work.
I am planning on using CodeIgniter for a huge project and currently am only doing a small project, before I begin working on the large project, to identify possible issues.
As it stands one issue I have identified is CodeIgniter’s session handler.
Currently I am using a small Linux box that is behind a router that redirects the connections to the Linux box via port forwarding to port 80. I am using a DDYNS to access the box on the port number 8080.
The Apache service on the Linux box listens on port 80.
My CI instance is hosted in a directory of /ci.

Now for sake of ease I will include all the information about my server and settings here.

Config.php:
Code:
$config['base_url'] = '';
$config['sess_cookie_name']  = 'CIPSSSERVER';
$config['sess_expiration']  = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name']  = 'ci_sessions';
$config['sess_match_ip']  = FALSE;
$config['sess_match_useragent'] = FALSE;
$config['sess_time_to_update'] = 7200;

$config['cookie_prefix'] = "";
$config['cookie_domain'] = ".kicks-ass.org";
$config['cookie_path']  = "/ci";
$config['cookie_secure'] = FALSE;

.htaccess file in /ci directory:
Code:
RewriteEngine on
RewriteCond %{REQUEST_URI} !/webdav
RewriteCond $1 !^(index\.php|images)
   RewriteRule ^(.*)$ /ci/index.php/$1 [L]

Apache config:
Code:
<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www
   <Directory />
      Options FollowSymLinks
      AllowOverride None
   </Directory>
   <Directory /var/www/>
      Options -Indexes FollowSymLinks MultiViews
      #AllowOverride All
      AllowOverride FileInfo Limit AuthConfig Options
      #AllowOverride FileInfo
      Order allow,deny
      allow from all
   </Directory>
...
</VirtualHost>

Server Variables on request:
Code:
[REDIRECT_STATUS] => 200
    [HTTP_HOST] => <omitted>.kicks-ass.org:8080
    [HTTP_CONNECTION] => keep-alive
    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
    [HTTP_DNT] => 1
    [HTTP_ACCEPT_ENCODING] => gzip,deflate,sdch
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.8
    [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.3
    [HTTP_COOKIE] => CIPSSSERVER=a:4:{s:10:"session_id";s:32:"6fb2b31c3092c145d261be11f8cf7e7d";s:10:"ip_address";s:14:"<omitted>";s:10:"user_agent";s:108:"Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.31+(KHTML,+like+Gecko)+Chrome/26.0.1410.64+Safari/537.31";s:13:"last_activity";i:1366654078;}c1c63d93529d3562c2fb4eb3e37ff56c
    [PATH] => /usr/local/bin:/usr/bin:/bin
    [SERVER_SIGNATURE] =>
Apache/2.2.22 (Ubuntu) Server at <omitted>.kicks-ass.org Port 8080
    [SERVER_SOFTWARE] => Apache/2.2.22 (Ubuntu)
    [SERVER_NAME] => <omitted>.kicks-ass.org
    [SERVER_ADDR] => 192.168.1.102
    [SERVER_PORT] => 8080
    [REMOTE_ADDR] => <omitted>
    [DOCUMENT_ROOT] => /var/www
    [SERVER_ADMIN] => webmaster@localhost
    [SCRIPT_FILENAME] => /var/www/ci/index.php
    [REMOTE_PORT] => 57533
    [REDIRECT_URL] => /ci/
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] =>
    [REQUEST_URI] => /ci/
    [SCRIPT_NAME] => /ci/index.php
    [PATH_INFO] => /
    [PATH_TRANSLATED] => /var/www/index.php
    [PHP_SELF] => /ci/index.php/
    [REQUEST_TIME] => 1366654079

ci_session table:
Code:
CREATE TABLE IF NOT EXISTS `ci_sessions` (
  `session_id` varchar(100) NOT NULL DEFAULT '0',
  `ip_address` varchar(45) NOT NULL DEFAULT '0',
  `user_agent` varchar(255) NOT NULL,
  `last_activity` int(10) unsigned NOT NULL DEFAULT '0',
  `user_data` text NOT NULL,
  PRIMARY KEY (`session_id`),
  KEY `last_activity_idx` (`last_activity`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

I have omitted parts of the address for security reasons.

As you can see that the client is sending the cookie information and yet CI is not reading it into the session data. It also, on every page refresh, creates a new session.

Any assistance would be very appreciated. Thank you. [/quote]

I have fixed the issue. I am going to post the information here in case any one else ever runs into this problem.

The issue was with PHP Suhosin. A very popular PHP hardening library. Because of how the session data is not only stored within the database but also with in the cookie(IMO a weird design decision) the maximum value length that is stored within Suhosin was being violated. Suhosin then would drop the variable which then would cause CI to never get the cookie data which, of course, would cause CI to generate new session data.

To solve it I have raised the amount allowed to 512. The correct setting to change is suhosin.request.max_value_length.

I am not sure what the correct method should be to address this other than modifying a library that is suppose to protect PHP services from being hacked but I do believe that if the switch in CI is set to store session data in the database that the cookie should only contain the session id needed to identify the user and their session data. Of couse, I think that CI should still do something to verify that the cookie has not been spoofed in some manner but should not force system operators to have to change settings on a security library to make CI work.

Hope this helps someone else out in the future.

#65
[eluser]CroNiX[/eluser]
If you are using the database to store ci sessions, then only the encrypted session id is stored in the cookie.

My cookies only contain something like:
Quote:cisession=VUANANjS/x4tK+Rq8YwTyclen/lPKzemwolYjSIzSr44pF6tGZlEXUx5zI62m1za0Tci50xwTRgl8fT1/yvnUI1deLn7Eg/OaSKyUU5PhaxM7iVGFi+6eXyW5wJJPFUFosPT5Vw9NymW6vLhVGjAYW8GQUxJaFk1QdzUUAo4GSa2L57z9MTgbZkwdm3Zo/ef5pi55jvHUI3B4h7dpb1XoD3uqKkZmNoKpOS0iOBrNYa656ynsV4lye+kIa6+RwMem6Dr0/2nfm6cShph3iOzCJMk0YOMl14349gop/5LeOe3IROuqLUauFiO6ABCS4bd/wrzK2X8tkKS3gqty82H33a7s1itUTg24fRHv05XEuKmpBGZeoYv108DbQhvZGn5kkHvgHA56WeN7aRUwnAVn37CtPjQpwSHD11wY3ZOXl+Hm0sSIA/Ma/e5T56gVRIF/Tbomq/xhBH9NP9CwfPt/H2pYXKpLcCCV1KEB/wDJWOOSWKiG5xJZXlGJG2EtFqLCbZC24mXN5NYJVhkVJCmi5CeTHD/680BhmzqfVQZu1ipMECTQXv4nLvBhu19nl9YUvkWxeFJZxXGW2skkDRX2byranXt53SBWal/DasTFPLp12TV7A7MMwo3gruLrX+P; expires=Wed, 24 Apr 2013 19:35:49 GMT; path=/; domain=test.localhost
And no session data.

#66
[eluser]phanku[/eluser]
My apologies. I thought I had read some place that the information is both stored in the cookie and the db sessions.


#67
[eluser]Unknown[/eluser]
Ok - so I also had some problems with the cookie not getting set in any browser except firefox. Which made me think it was a browser issue for an hour or two. Turns out
1. user_agent field is too short
2. cookie domain needs to set using an answer I found of php.net/setcookie

My fix was:
ALTER TABLE `api_session`
CHANGE COLUMN `user_agent` `user_agent` VARCHAR(255) NOT NULL AFTER `ip_address`;

AND
in your config.php file
$config['cookie_domain'] = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false;
$config['cookie_path'] = "";

There seems to be some issue with not setting cookies on intranet domain names (Eg. without dots).

Hope that helps someone.


#68
[eluser]InsiteFX[/eluser]
Changing the user_agent in the database table to 255 is not going to help you because it is hard coded in the session library at 120!

#69
[eluser]Unknown[/eluser]
I have the same problem? How do you solve it?

#70
[eluser]Unknown[/eluser]
After some research I've found that this is a bug into sess_read() function of CI_Session class.

Code:
// Decrypt the cookie data
  if ($this->sess_encrypt_cookie == TRUE)
  {
   $session = $this->CI->encrypt->decode($session);
  }
  else
  {
   // encryption was not used, so we need to check the md5 hash
   $hash  = mb_substr($session, mb_strlen($session)-32); // get last 32 chars
   $session = mb_substr($session, 0, mb_strlen($session)-32);

   // Does the md5 hash match?  This is to prevent manipulation of session data in userspace
   if ($hash !==  md5($session.$this->encryption_key))
   {
    log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
    $this->sess_destroy();
    return FALSE;
   }
  }

You need to replace mb_substr() functions to substr() or configure mbstring.func_overload parameter in PHP configuration file.

But I must say that this bug already fixed in new version of CodeIgniter (2.1.4), so there is another way to fix it - just update the frameworkWink


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.