Question about CI_Session

[eluser]korpirkor[/eluser]
Hi
I'm doing my first project on CodeIgniter (and first with MVC at all) and I have question about Session library.

There is sess_update() method, which is updating last_activity and session_id after $config['sess_time_to_update'] seconds.

My question is: why are we creating new session_id each time ???

I have rewritten sess_update into MY_Session:

Code:

class MY_Session extends CI_Session
{
    function sess_update()
    {
        if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
            return;

        $this->userdata['last_activity'] = $this->now;
        $cookie_data = NULL;
        if ($this->sess_use_database === TRUE)
        {
            $cookie_data = array();
            foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
                $cookie_data[$val] = $this->userdata[$val];

            $this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now), array('session_id' => $this->userdata['session_id'] )));
        }
        $this->_set_cookie($cookie_data);
    }
}

Question 2. Can my code mess up something?

[eluser]WanWizard[/eluser]
It's a security measure against session fixation, and not something you should be bothered about, it happens invisible and in the background.

Why would you like to rewrite sess_update()?

[eluser]korpirkor[/eluser]
I was creating auth module which is allow to login for one account only on one PC. Every profile has `my_session_id` equal to current `session_id`.
I solve it - in each sess_update() I assign new session_id to my_session_id and it works fine. Unfortunetly now everywhere is the Session class - must be also included the authorization module (or new session_id won't be assigned)

I have read something about CodeIgniter Session class on this forum (the say that it is unreliable) and replace CI_Session by "Native / Database hybrid" library

Thanks for response !

[eluser]WanWizard[/eluser]
The CI Session library is very reliable.

Most of the issues reported are cookie related, and caused by configuration errors, not by the Session library. There were some issues with the Session library in old versions of CI, but that's a long time ago.

If you mean by "one login per PC" one login per browser, that this is archieved by every session library, as all browser windows share the same session. If you really mean 'one physical PC', then you could add a check on IP address, if you can guaranty that would be unique (which is not always the case) you could make sure you only have one active session per IP.

The real question however is: why do you want to archieve this? Because from your application point of view, there is no difference between a user logged in twice using two browsers on the same PC versus two browsers on two different PC's (which is allowed?).

[eluser]korpirkor[/eluser]
OK, I picked wrong words.
I wanted to achieve, that one username can be logged in only one session.
For example:
- User is logged in with username: bogdan on Session 1.
- After that, he is going to another room, login as bogdan again in another pc
- Now Session 1 is killed, and bogdan is loged out on first computer. But logged in on second.
It's clear now ?

I get everything now, thanks for info

ps. English is not my first language, sometimes there are mistakes in communication with me :-P

[eluser]WanWizard[/eluser]
No problem, English isn't my first language either, that's why it's always good to ask for clarification.

In that case I would extend the session library, create an extra field user_id in the session table, and store the user_id of the logged in user in that field. When a user logs in, and the login is valid, run a delete query on the session table where user_id = the user that just logged in. If there were no other sessions for that user, the delete does nothing. If there were, the delete makes their session invalid which effectively logs them out.

It is possible to do this with the standard session library, in which case your delete should have a where clause with a regex because you have to get the user_id from the serialized user_data array, which can be done is is more advanced.