[eluser]aidehua[/eluser]
I've been having an intermittent session problem. The session seems to "time out" occasionally, and because I'm using session information to check logged-in status on each page call, users are getting logged out unexpectedly.
I think I've sort-of figured out the problem, if not the solution.
I'm using the default time-to-update of 300 seconds.
Code:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 14400;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
$config['sess_use_database'] = TRUE;
The problem seems to occur most when someone uploads a large file.
So, the user clicks "upload". The file for upload is submitted, along with the current session cookie.
30 seconds later, the upload is done. Sometimes (not all the time), the user gets logged out instead of seeing the upload "success" screen.
What I'm guessing is happening is something like this:
The script starts to execute the minute the submit button is pressed. For the next 30 seconds (or so), the large file is being uploaded. At some point during those 30 seconds, a new session id is generated (the 300-second time-to-update has ticked over). And this no longer matches the session id taken from the session cookie at the start of the request. So the session class reckons it's dealing with a new session, and that triggers my auth library to log the user out.
Alternatively (I'm not very clear about the sequence of client-server-client information exchange when a multipart form is submitted), could it be that the session cookie gets updated pretty much as soon as the submit button is clicked, but a new, different session id is generated on the server during the subsequent 30 seconds or so that the file is still uploading (and being processed on the server)?
Is either of these two explanations (even approximately) correct?
As for solutions... Well, I could increase the sess_time_to_update by factor of 10, to 3000 seconds, so this unwanted logout behaviour would occur ten times less frequently. But it would still happen from time to time, when the 30 second (or whatever) upload time happens to coincide with the once-every-3000-second session update.
Better ideas?