Matching the User-Agent in the Session Class

[eluser]WanWizard[/eluser]
Think I've found the issue at hand, thanks due to some debugging of another "sufferer".

See http://ellislab.com/forums/viewthread/191097/.

[eluser]InsiteFX[/eluser]
This is the line in the Session Class:

Code:

// Does the User Agent Match?
if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 120)))

So we have another BUG! Some of the IE user agent strings are way over 120 characters the user agent string should be set to 255 to cover all user agent strings.

InsiteFX

[eluser]WanWizard[/eluser]
It should be removed all together. If the database column is defined big enough (i.e. TEXT instead of VARCHAR), no substr() is needed...

[eluser]caleblloyd[/eluser]
I agree that it is probably this version of IE8 falling back to compatibility mode that causes the UA to change. My web application goes through a series of redirects to pass session data across 2 domains so that the user is automatically authenticated upon getting to the second domain. It is possible that the version of IE8 I am using flips into compatibility mode upon 2 or more redirects within one page request.

I work in an office with ~15 computers with IE8 and can only recreate the bug on 1 of the computers. So it is very possible that this computer has a different minor version of IE8 with this bug and it got fixed in a later IE8 update.

In response to WanWizard-

Because it’s a security feature, and nobody has ever seen a browser that alters it’s UA string before?

I'd like to reiterate:

Most people that are capable of understanding how to steal a cookie over an unsecured connection are also capable of spoofing the user-agent quite easily, so I do not think this is a strong enough argument to call for always matching the user-agent.

One common unsecured cookie-stealing Firefox Extension, Firesheep, even has a checkbox to automatically match the UA, so this is an easily defeated "security feature".

And I have found other instances (I will admit, they are rare) of people running into the same IE bug that I have.


In response to Hoopoe-

so changing sess_match_useragent to FALSE will solve it ?

Yes, that fixes the problem.

[eluser]InsiteFX[/eluser]
@WanWizard,

IE can change the user agent depending on a meta tag for backwards compatibility using a UA tag I can tell it to use IE7 IE8 or run standard with IE9! Some web sites set this meta tag, the user can also change this in the browser.

InsiteFX

[eluser]WanWizard[/eluser]
Ah, that is great.

But still, for any given site it should always be the same (if triggered by a meta tag), so related to sessions it shouldn't be an issue.

[eluser]mahni1390[/eluser]
;-) You do know that the user_agent field in the session table has been changed!
You didn’t happen to jump between IE8 and compatibility mode did you?

I can only recreate this bug in IE 8, and specifically on an XP SP3 machine so it is likely the minor version of IE 8 on this computer. But other users of my website have had this problem in IE before, which brings me back to my original question

[url="http://www.parscanada.com"]مهاجرت به کانادا[/url]

[eluser]InsiteFX[/eluser]
@WanWizard, Yes it should be, but there's one problem with this and that is that the user can also change it on the fly in their browser. Plus IE9 now has a compatibility mode that will also change it.

IF your checking for IE the only thing you really need to check is MSIE version!
All IE browser return MSIE version.

InsiteFX

[eluser]renju[/eluser]
Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Timestamp: Fri, 1 Jul 2011 09:52:24 UTC


Message: Object expected
Line: 251
Char: 1
Code: 0
URI: http://localhost/donaldson_toolbox/cross...ce/index/1

Showing error in ie7. I changed $config['sess_match_useragent'] = FALSE; but no effect.
please sent have any clue to resolve the issue?

[eluser]osci[/eluser]
[quote author="renju" date="1309532503"]Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Timestamp: Fri, 1 Jul 2011 09:52:24 UTC


Message: Object expected
Line: 251
Char: 1
Code: 0
URI: http://localhost/donaldson_toolbox/cross...ce/index/1

Showing error in ie7. I changed $config['sess_match_useragent'] = FALSE; but no effect.
please sent have any clue to resolve the issue?[/quote]

Object expected is your error. I would check line 251, or 250 since I see char:1. What you are passing is either mistyped, not an object or not initiated (loaded).