Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion How to check for an expired session
How to check for an expired session
  • El Forum
    Guest
  •  
#1
01-17-2011, 03:04 PM

[eluser]Unknown[/eluser]
Hi everyone,

I am running a REST API that uses the CI Session library for user login. I have set the session cookie to expire after 24 hours. This API is powering several webapps and an iOS application that stores the user's credentials in the iphone's keychain access. I want to let the iOS app know that the cookie has expired and that it needs to re-authenticate with the server using the stored credentials in the keychain.

I have a few services in my API that behave differently if the user is logged in (they return a different response). I want to return a 401 error if the cookie sent in the request was invalid/expired, return a normal response if the user is not logged in, and an altered response if the cookie is valid/not expired.

If I'm only checking to see if the session userdata is set, I see no difference between an expired cookie and simply a non-logged in user.

Is there any way that I can check whether a cookie sent via the request has expired? I only want this 401 error to be displayed once on an expired cookie, the iOS client would then reauthenticate itself and get a new (valid) session cookie.

Thanks for any insight on this. I'm still somewhat new to cookies and sessions, so if I'm way off here, please let me know.
  • El Forum
    Guest
  •  
#2
01-18-2011, 03:56 AM

[eluser]WanWizard[/eluser]
The session is expired when you don't receive a valid session cookie.

Cookies expire client-side, once the expiration time is reached, the client will delete the cookie locally, and will not send it with the request to the server. Server side, if no session cookie is received, the CI Session class will automatically create a new session, and will include this session cookie in the result send back to the client. From a client perspective, there is no difference, the client just sees an encrypted cookie.

If you want the client to re-authenticate, use a REST response (= error code / message) to alert the client to do so.

Server side you should record the logged in state in the cookie, so you can check in your code if the session is authenticated. Based on this information, you can craft the proper response.




Theme © iAndrew 2016 - Forum software by © MyBB