• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Codeigniter session sometimes kicking me out after completing call to a third party API

[eluser]Amitabh Roy[/eluser]
I got this strange problem for long and have been trying to solve it without any success.
I got a CI site based on CI 1.7.2. It works fine for most of the time. But many a time it does not.

The problem is, we fill up up a form with many fields and submit it to a method in the controller which does the checking. It then posts the data to the third party web service using curl.

I have a error/order response tracker setup, which mails me every time I get response back from the API. The mail content is of the format:

Order ID: 5876 Result length - 8056 or
Order ID: 5877 Result length - 1121 ....and so on for each order.

Now, many a time I get mail like:

Order ID: Result length - 34441 (Please note the order id is missing here)
Order ID: Result length - 9700

Now , the code for my mail happens to be

mail('[email protected]','Order ID: '.$this->session->userdata('SITE_ORDER_NO').' Result length - '. $lengthResponse , $orderResult, $headers);

So its seems the
segment of the code does not have the Order ID any more.

Also I got few reports that the user was logged out of the website after it transferred him to the next page , after the response came back.

My session setup is:
$config['sess_cookie_name']  = 'cisessionJHGJHSOMECAPITALLETTERS';
$config['sess_expiration']  = 7200;
$config['sess_encrypt_cookie']         = TRUE;
$config['sess_use_database']         = TRUE;
$config['sess_table_name']  = 'user_sessions';
$config['sess_match_ip']  = TRUE;
$config['sess_match_useragent']         = TRUE;
$config['sess_time_to_update']          = 300;

The code of the helper function this:
function call_order_curl($postVars){
$posturl = "API_URL";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $posturl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postVars);
curl_setopt($ch, CURLOPT_POST, 1);
$response = curl_exec($ch);
return $response;

I would really appreciate any help on this. Thank you.

Hmmm, just guessing / ideas popping up:

- Make sure Your application loads the session library in every controller, best autoload it in config/autoload.php
- Do You validate the data before sending it ? Better show the user an error message than sending wrong data around
- What happens when a user uses the return button / reloads the page ?

Edit :
sess_match_ip may give different results for the same visitor

Another thing are you use Ajax for making these third-party API calls?

[eluser]Amitabh Roy[/eluser]
- session library is auto loaded
- Data is validated before posting sending it to the API
- Sometimes they are logged off, and sometimes the browser itself times out.

Nope, I am not using ajax for the call.

So it seems there are actually two problem, the browser timing out means the curl is timing out waiting for response from the API. It something I need to get in touch with the API guys.

The other is the session is timing out. I discovered a couple of problems in the session usage. Here are few things I discovered and the fall back strategy I am using.

1. the user_agent was set to a holy 50 characters in the user_sessions table! I have updated it to text. If you peoples recommend to use Varchar(255), it would be awesome if you let me know why its preferable.

2. As @tomcode suggested, sess_match_ip may give different results, I looked around a bit more and came across this excellent post. So now I have updated the $config['sess_match_ip'] to false FALSE;

3. To remove any IE related session issues, I additionally set the $config['sess_match_useragent'] to FALSE; as I came across this post, which seems to suggest that IE juggles the user agent.

4. Another variable that may be affecting the session logouts be sess_time_to_update. I have updated it to 900 from 300. I need to investigate what happens when session refreshes based on sess_time_to_update and if setting a larger value for sess_time_to_update can solve the problem. I need to understand the mechanism how the session refresh works. Right now I am looking at the session class. Any help or pointers is definitely appreciated. What I am worried about is even after these changes if I get logged out when the session refreshes after sess_time_to_update

I cant fully go for a cookie based session, as I have quite some data in the session and of course storing the session data in db is more secure. So my latest session variables are
$config['sess_cookie_name']  = 'cisessionPLUSSOMEUPPERCASELETTERS';
$config['sess_expiration']  = 7200;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name']  = 'user_sessions';
$config['sess_match_ip']  = FALSE;//updated from true
$config['sess_match_useragent'] = FALSE;//updated from true
$config['sess_time_to_update']  = 900;//updated from 300

I want to get this right, so any comment or pointers are definitely welcome!:-)

Quote:1. the user_agent was set to a holy 50 characters in the user_sessions table! I have updated it to text. If you peoples recommend to use Varchar(255), it would be awesome if you let me know why its preferable.

The session library has that value hard coded in it so even if you change it in the session table CI will still chop it at 50.

As far as user_data:
-- ------------------------------------------------------------------------
--  `user_data` text,       COMMENT - maximum length of 65535 characters.
--  `user_data` mediumtext, COMMENT - maximum length of 16777215 characters.
--  `user_data` longtext,   COMMENT - maximum length of 4294967295 characters.
-- ------------------------------------------------------------------------

[eluser]Amitabh Roy[/eluser]
yep, its seems so when it does sess_read() in the Session.php

// Does the User Agent Match?
  if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 50)))
   return FALSE;

So updating the length of the user_agent column in the user_sessions table would have no effect on this issue.

CI 2.1.+ has raised it up to varchar(120)

Another thing to look at is if both servers time are synced with the correct time. Time can cause all kinds of problems.

Also make sure that your computer system time is also correct.

[eluser]Amitabh Roy[/eluser]
It seems even after taking the steps I mentioned in the earlier post, I am still having the same issues. The only thing is it happens later as I have updated the sess_time_to_update to 900 from 300. So whenever the session is regenerated, the data is lost from the session.

So it seems session implementation is a bit flawed int 1.7.2 version of CI. The solutions I have are:
1. to disable refreshing session/disabling the session_id updates
2. Use a different session library instead of the native CI implementation.

The question are:
1. If I want to disable session id updates how do I do that? Will setting sess_time_to_update t0 0 will do the job? Or do I need to hack into the sessions class.

2. I searched around and came across these alternate session implementation for CI.
Native session and Session hybrid
Now my application is a live running application. So I dont want to go through the entire site and replace the session codes. The new session library has to be seamless/drop in replacement for the native CI session, so I don't need to change any codes. Going by my requirements I guess Session Hybrid is the preferred one, though I am not sure it works with CI 1.7.2 though the wiki page says it is for CI 1.7.0.

If anybody has used Session Hybrid in their project or have used some other good session library, I would definitely like to know their recommendation. Thank you.

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.