Seemingly random session expiration (SOLUTION) |
[eluser]Unknown[/eluser]
Just wanted to give back to the community on an issue that's driven me crazy for weeks. Hopefully I can save someone else a headache. If you're loading resources dynamically on a page (images, ajax requests, etc.), be careful about passing them in through CI's sessions. If it happens to trigger the sess_update function in the request (based on the config "sess_time_to_update" value), any subsequent requests could be passing in the wrong cookie information and will subsequently destroy any reference to the newly updated session. Here was my situation: - Profile pictures ran through CI to grab the image path from a database (I know, I know--this isn't the most optimized solution... I'm working on that) - Session library was autoloaded (and sessions were stored in database) - If there were multiple profile pictures on the page (which there usually are for any sort of people list...), it opened up this particular vulnerability For example, if there were 40 profile pictures on a page, the browser won't load them all at once due to browser simultaneous request limits (FireFox defaults to 6 or so, if I remember correctly...). If the time_to_update (for me, 5 minutes) had passed on one of the first pictures, the browser was still passing in the old ci_session cookie for the remaining pictures. This cookie had the old session_id stored with it, which was no longer to be found in the database. This triggered a sess_destroy call, and the user was randomly logged out of the site (as I also store the login information in the session). My solution to this was to stop autoloading the session class in the profile picture loads. I tried that, but found two other potential vulerabilities: 1) Refreshing the page before the browser had set the new cookie (rare, but I hate the open door...) 2) Multiple simultaneous AJAX calls (particularly within less than a second) could return in unpredictable orders, and yup--you guessed it--same problem I ended up disabling the session_id updates, as I'm not developing a banking site, and encrypted cookies are plenty security for my needs. So, if CI is randomly dropping the session, you might be running into the same issue. Thanks, Landon Springer
[eluser]InsiteFX[/eluser]
Code: // place at the bottom of application/config/constants.php EDITED: 10-05-2010 Forgot the define... InsiteFX
[eluser]Vinnie Saletto[/eluser]
That's very similar to what I'm experiencing, but I'm not using AJAX. If you (or anyone here) has a moment to look at my thread, I would be most grateful. View Thread Here I am in a state of panic here, so any assistance you may be able to provide would be fantastic.
[eluser]Unknown[/eluser]
[quote author="InsiteFX" date="1288844628"] Code: // place at the bottom of application/config/constants.php EDITED: 10-05-2010 Forgot the define... InsiteFX[/quote] Subscribed just to thank you, just what I needed ! |
Welcome Guest, Not a member yet? Register Sign In |