Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers CI Sessions -- Additional Cookie Options
CI Sessions -- Additional Cookie Options
  • El Forum
    Guest
  •  
#1
09-29-2010, 03:12 PM

[eluser]Unknown[/eluser]
The Problem:
I am using TankAuth for user authentication. TankAuth uses CI session class, which uses cookies rather than true php sessions.

This didn't really cause me a lot of problems, but there was a random sampling of users who were unable to login. They would enter their credentials correctly (no form errors), but for some reason the cookie was never set. It didn't matter what browser they used, it would always fail. Well I discovered that the problem lies with their security software (such as Norton Internet Security) which was destroying the cookie after it was set.


The Solution:
PHP's function setcookie has an additional parameter $httponly that was added in 5.2.0. I know that CI has legacy concerns that it must consider, but adding this option to the config and the session library and cookie helper has solved my problem. So if you're using CI native session class for authentication and have trouble with people not being able to login, then I can pass along my code to you. It's currently for CI version 1.7.2 but I'll be updating it to CI 2.0 when the final version is released.



Anyway, I love CodeIgniter! Has anyone else experienced issues with user not having cookies set? This was just the solution I found that fixed my current problem. I'm definitely not an expert on any of this stuff so I'd love to hear your opinion. Thanks!


References:
http://www.owasp.org/index.php/HttpOnly
PHP setcookie() Function
  • El Forum
    Guest
  •  
#2
12-03-2010, 08:23 PM

[eluser]darrenfauth[/eluser]
Wow...I'm surprised no one has responded to this thread.

I am migrating a membership site from using dx_auth to tank_auth. I did have mysterious session related problems with dx_auth. I could never reproduce them myself...but alot of what I read about it always brought me back to issues with CI Sessions. I've implemented tank_auth and now once again concerned about having cookie data problems.
Code:
$this->ci->session->userdata('user_id')
as well as name, email and other session data are used throughout the library.

I'd love to hear more about your solution especially since it appears you are still using tank_auth?
  • El Forum
    Guest
  •  
#3
12-04-2010, 04:56 AM

[eluser]WanWizard[/eluser]
Every session solution uses cookies, so this issue is not related to tankauth.

If you have a piece of local software that blocks cookies, none of them work. I think when building websites you have to make certain prerequisites, like cookies should work, and javascript must be enabled.
If needed, build a splash/loading page that checks this, and give an error message if the conditions aren't met.
  • El Forum
    Guest
  •  
#4
12-04-2010, 05:48 AM

[eluser]InsiteFX[/eluser]
Code:
ini_set("session.cookie_httponly", 1);

InsiteFX
  • El Forum
    Guest
  •  
#5
12-04-2010, 11:14 AM

[eluser]darrenfauth[/eluser]
@WanWizard
Right, not thinking it is a tank_auth issue. Looking for the most painless solution that will let me change my session/cookie handling and not have to modify tank_auth use of $this->ci->session->

@InsiteFX
That is best at server level in my php.ini? I'm looking at my localhost php.ini using Wampserver and I see it is like this:

Code:
;Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
; http://php.net/session.cookie-httponly
session.cookie_httponly =

Changing that value to '1' and ultimately on my server would be optimal, right?

How about on a per application (website) basis? That is not a valid option to set in my application/config/config.php, right? Those are specific to CI and CI Sessions?

I'm reading up so I can reply and not sound totally stupid...sessions have never been my thing.

I implemented Session Hybrid (hmmm..EL is preventing links right now in forum posts) yesterday also after posting here and before your reply. It went smooth. Still not sure if it is the answer.
  • El Forum
    Guest
  •  
#6
12-04-2010, 01:02 PM

[eluser]InsiteFX[/eluser]
You can run it from index.php

Otherwise create a new MY_cookie_helper and add what you need to it.

InsiteFX
  • El Forum
    Guest
  •  
#7
12-04-2010, 01:26 PM

[eluser]darrenfauth[/eluser]
Sweet. Thanks!
  • El Forum
    Guest
  •  
#8
12-04-2010, 05:31 PM

[eluser]WanWizard[/eluser]
CI's session class writes it's own cookies, it doesn't use the php.ini setting.

That would be a nice request for the Reactor branch, to have a config setting to control the secure and httponly flags of setcookie().

Maybe you should add it: http://codeigniter.uservoice.com/




Theme © iAndrew 2016 - Forum software by © MyBB