multiple session cookies with session library

[eluser]Tom Vogt[/eluser]
WanWizard might be on to something. I see the same behaviour here - very hard to reproduce, but it happens quite often.

I added a bit of debug output to my access control library and it appears, but I've not had enough cases to be 100% certain, that the user data is not set at all when the session fails. It's not set wrong, it's unset.

[eluser]skunkbad[/eluser]
I may have come up with a solution, but since I've never had problems with sessions, I'm not sure it will work or not. The solution does reduce the amount of cookies set to 1. I'm not big on using hooks, but after playing around for a couple hours, it's the only way I could do what I was trying to do. Hooks must be turned on in config/config. A post controller hook needs to be created in config/hooks.php. Please check it out and let me know if it works:

config/hooks.php

Code:

$hook['post_controller'][] = array(
'function' => 'finalize_session',
'filename' => 'finalize_session.php',
'filepath' => 'hooks'
);

MY_Session.php

Code:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class MY_Session extends CI_Session {

private $cookie_data = array();

/**
  * Write the session cookie
  *
  * @access public
  * @return void
  */
public function _set_cookie($cookie_data = NULL)
{
  if (is_null($cookie_data))
  {
   $cookie_data = $this->userdata;
  }

  // Serialize the userdata for the cookie
  $cookie_data = $this->_serialize($cookie_data);

  if ($this->sess_encrypt_cookie == TRUE)
  {
   $cookie_data = $this->CI->encrypt->encode($cookie_data);
  }
  else
  {
   // if encryption is not used, we provide an md5 hash to prevent userside tampering
   $cookie_data = $cookie_data.md5($cookie_data.$this->encryption_key);
  }

  $this->cookie_data[] = $cookie_data;
}

/**
  * Finalize Session
  */
public function finalize_session()
{
  if( ! empty( $this->cookie_data ) )
  {
   $cookie_data = array_pop( $this->cookie_data );

   $expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time();

   // Set the cookie
   setcookie(
    $this->sess_cookie_name,
    $cookie_data,
    $expire,
    $this->cookie_path,
    $this->cookie_domain,
    $this->cookie_secure
   );

   $this->cookie_data = array();
  }
}

// -----------------------------------------------------------------------

}

/* End of file MY_Session.php */
/* Location: ./application/libraries/MY_Session.php */

hooks/finalize_session.php

Code:

<?php

function finalize_session()
{
$CI =& get_instance();

$CI->session->finalize_session();
}

In my testing, when sending ajax responses, I had to change how I would normally send my response. Normally I just echo json_encode( $response ); I found I had to use Output:et_output() instead.

Code:

// echo json_encode( $response );

$this->output->set_output( json_encode( $response ) );

[eluser]CroNiX[/eluser]
@skunkbad, did you try putting that in a __destruct()? Or make the finalize_session() itself the __destruct()?

[eluser]skunkbad[/eluser]
... mistake posting

[eluser]skunkbad[/eluser]
[quote author="skunkbad" date="1350354190"][quote author="CroNiX" date="1350353997"]@skunkbad, did you try putting that in a __destruct()? Or make the finalize_session() itself the __destruct()?[/quote]

Yeah I did, but it didn't work for ajax. I also tried to put a __destruct in MY_Controller, but that didn't work either. __destruct() in a post controller hook was the only way it worked for me. Maybe the others destructed too soon?

I uploaded the files to community-auth.com, and went through some basic testing. All is well. I've just never had problems with session dropping out, so I'm curious to see if WW and the op have success with what I've done.[/quote]

[eluser]Tom Vogt[/eluser]
Hm, I don't quite follow why this is happening. Here's why: As I said above, there is exactly ONE call to set_userdata() in my ENTIRE code.

I do set a bit of flashdata here and there, which also causes calls to set_userdata() within Session.php - but that's at most one per page view, so it also doesn't explain how I end up with up to FIVE different cookies.

[eluser]WanWizard[/eluser]
Session:ess_write() is called in set_userdata(), unset_userdata(). And all flash methods except flashdata() call set_userdata(), unset_userdata() or both, so they indirectly also initiate a write.

Note that if you use the database backend, this means that you have as many update queries on your session table as you have cookies in the header. From a performance point of view not a very good idea either.

[eluser]skunkbad[/eluser]
Does my code stop your session from dropping?

[eluser]weboap[/eluser]
a quick answer if it will help anybody, this may be related or not to this post.
i had this issue before with CI creating multiple sessions record as i had session in the database.
and users have been kicked off every time session update is up.

1- tried the session disable patch to MY_Session to (stop session update on ajax request) --- wasn't it.
http://ellislab.com/forums/viewthread/203821/

2- changed the table fields size, upped the user_agent field to 120 then to 255 --- no changement
(did the change in the session lib too) ==> if field is short it shop the field giving a false result on user_agent test in the next session update.

3- changed the session from databse... worked ok. but i needed to use the DB table.

4- tried the native session : worked ok but still didn't do the job i wanted.

....

here is my stupid mistake, i auto load the session lib. forgot, and loaded it again later down the code.
there was one session created. the second load killed it and created a new, when session update was up there was maybe the same user agent, ip , but not the same session_id, so couldn't find the session to update then created a new one ===> kicked the user.


hope it help somebody.

[eluser]WanWizard[/eluser]
Weird.

You shouldn't be able to load a library multiple times, all CI libraries are singletons, they get re-used on second load.