[Solved] Various Session problems

[eluser]fchristant[/eluser]
Just dropping by to close this thread. I already indicated that most of my problems were solved, hereby I can also confirm that the 0.0.0.0 IP problem in production is solved. It was indeed due to the cron jobs. Summary of the solutions:

- Using the IsAJAX trick to avoid session creation for Ajax calls
- Moving JS files outside of my CI application
- Let cron job controllers use a base controller that does not have session loading enabled
- Removing the underscore from the cookie name, also setting a cookie domain

This total pack of solutions solved all my problems. Thanks all for the help!

[eluser]aidehua[/eluser]
I've been having an intermittent session problem. The session seems to "time out" occasionally, and because I'm using session information to check logged-in status on each page call, users are getting logged out unexpectedly.

I think I've sort-of figured out the problem, if not the solution.

I'm using the default time-to-update of 300 seconds.

Code:

$config['sess_cookie_name']        = 'ci_session';
$config['sess_expiration']        = 14400;
$config['sess_encrypt_cookie']          = TRUE;
$config['sess_table_name']        = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']     = 300;
$config['sess_use_database']    = TRUE;

The problem seems to occur most when someone uploads a large file.

So, the user clicks "upload". The file for upload is submitted, along with the current session cookie.

30 seconds later, the upload is done. Sometimes (not all the time), the user gets logged out instead of seeing the upload "success" screen.

What I'm guessing is happening is something like this:

The script starts to execute the minute the submit button is pressed. For the next 30 seconds (or so), the large file is being uploaded. At some point during those 30 seconds, a new session id is generated (the 300-second time-to-update has ticked over). And this no longer matches the session id taken from the session cookie at the start of the request. So the session class reckons it's dealing with a new session, and that triggers my auth library to log the user out.

Alternatively (I'm not very clear about the sequence of client-server-client information exchange when a multipart form is submitted), could it be that the session cookie gets updated pretty much as soon as the submit button is clicked, but a new, different session id is generated on the server during the subsequent 30 seconds or so that the file is still uploading (and being processed on the server)?

Is either of these two explanations (even approximately) correct?

As for solutions... Well, I could increase the sess_time_to_update by factor of 10, to 3000 seconds, so this unwanted logout behaviour would occur ten times less frequently. But it would still happen from time to time, when the 30 second (or whatever) upload time happens to coincide with the once-every-3000-second session update.

Better ideas?

[eluser]aidehua[/eluser]
Well, I figured that most of the trouble was coming from POST requests (and a bit of trouble from AJAX requests too).

So here's what I've put in MY_Session:

Code:

function sess_update()
{
$request_type = $_SERVER['REQUEST_METHOD'];
$request_type = strtolower($request_type);


if ( !IS_AJAX && $request_type != "post" ) //only update session if not ajax and not post request
{
parent::sess_update();
}

}

Bit of a bodge, but I reckon that most users will make GET requests often enough to let the session update reasonably frequently.

Seems to be working.