• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Upgrading Codeigniter from 1.7.3 to 2.2.2 - Issue with sessions library

#1
[eluser]adela[/eluser]
I am upgrading from Codeigniter 1.7.3 to the latest 2.2.0 and experiencing an issue with the sessions. If I use the old core file called system/libraries/Session.php its working but if I use the new session.php file, my login script isn't working at all. I mean it does nothing after I try to login with account and password. So, whats the difference in the newest version and how my script should look like? Thanks for taking the time to check my question and possibly answer me!

EDIT: I saw that this line cause the issue at first place:

Code:
$this->session->sess_destroy();

Complete function:


Code:
function login_do()
{
    if ( $_POST['username'] && $_POST['password'] )
    {
        $user = $this->db->where( array( 'users_name' => trim( $_POST['username'] ), 'users_password' => sha1( md5( $_POST['password'] ) ) ) )->get( 'users' );
        if ( $user->num_rows == '1' )
        {
            $user = $user->row();
            $data = array( 'logged' => true, 'users_id' => $user->users_id );
            if ( $user->users_teams_id > '0' )
            {
                $leader = $this->db->where( array( 'team_leader_id' => $user->users_id, 'teams_id' => $user->users_teams_id ) )->get( 'teams' )->row();
                $data['teams_id'] = $user->users_teams_id;
                if ( $leader )
                    $data['leader_teams_id'] = $user->users_teams_id;
            }

            $this->session->sess_destroy();
            $this->session->unset_userdata( array( 'logged' => false, 'users_id' => false, 'teams_id' => false, 'leader_teams_id' => false ) );
            $this->session->set_userdata( $data );
        }
        else
            $this->session->set_flashdata( 'error', 'user_pass' );
    }
    else
        $this->session->set_flashdata( 'error', 'data' );

    redirect( 'home' );
}

How my code above should be modified to accept the new session library. actually the above $this->session->sess_destroy(); as mentioned cause the issue ...

#2
[eluser]CroNiX[/eluser]
Take a look at the sess_destroy() method in the session library. It already unsets userdata, etc., but then you do it manually on a session that doesn't exist anymore since you just destroyed it. You then set_userdata, again, on a session that you just destroyed. You might try creating a new session right after you destroy the old one, or just unsetting the userdata which in effect destroys the session and not use sess_destroy().

#3
[eluser]InsiteFX[/eluser]
Take a look also at your session table there was a change to it awhile back you may be running on the old one.

#4
[eluser]adela[/eluser]
This code above which I posted in the first post has been used back when 1.7.3 was the latest version. Also, I don't store session into the database.

So, now I have 2 options to do it and keep it valid:

1. creating a new session right after I destroy the old one.

Code:
$this->session->sess_destroy();
                     $this->session->unset_userdata( array( 'logged' => false, 'users_id' => false, 'teams_id' => false, 'leader_teams_id' => false ) );
                     $this->session->sess_create();
                     $this->session->set_userdata( $data );

OR

2. Just unsetting the userdata (as it is in my code already) which in effect destroys the session and remove the use of sess_destroy() line only, right?

Code:
$this->session->unset_userdata( array( 'logged' => false, 'users_id' => false, 'teams_id' => false, 'leader_teams_id' => false ) );
                     $this->session->set_userdata( $data );

So both are fully correct to use and safe? Also, I will use encryption of cookies now to make it even safer. Thanks a lot for taking the time to answer to my questions.

#5
[eluser]CroNiX[/eluser]
For #1, you wouldn't use unset_userdata() after you destroy the session, as sess_destroy() already does that so there wouldn't be a session to unset data on.

#2 would be better I think, and has less code.

It is better to use the session database driver as it can store an infinite amount of session data, whereas cookies have a hard limit, which is different for each browser, but it's safe to assume 2kb max data if using cookies. If you go over that, it could break the session depending on the browser. If you encrypt the session data, it also takes a lot more space to store it.

#6
[eluser]adela[/eluser]
So,
Code:
$this->session->sess_destroy();
was used previously in 1.7.3 version probably because there was bug on it and it didn't work correctly, that's right? I believe there was no error on it because of that bug.

Also, is this code below correct in that case as you said?: unset_userdata() will do the similiar job as sess_destroy()

Code:
function login_do()
{
    if ( $_POST['username'] && $_POST['password'] )
    {
        $user = $this->db->where( array( 'users_name' => trim( $_POST['username'] ), 'users_password' => sha1( md5( $_POST['password'] ) ) ) )->get( 'users' );
        if ( $user->num_rows == '1' )
        {
            $user = $user->row();
            $data = array( 'logged' => true, 'users_id' => $user->users_id );
            if ( $user->users_teams_id > '0' )
            {
                $leader = $this->db->where( array( 'team_leader_id' => $user->users_id, 'teams_id' => $user->users_teams_id ) )->get( 'teams' )->row();
                $data['teams_id'] = $user->users_teams_id;
                if ( $leader )
                    $data['leader_teams_id'] = $user->users_teams_id;
            }

            $this->session->unset_userdata( array( 'logged' => false, 'users_id' => false, 'teams_id' => false, 'leader_teams_id' => false ) );
            $this->session->set_userdata( $data );
        }
        else
            $this->session->set_flashdata( 'error', 'user_pass' );
    }
    else
        $this->session->set_flashdata( 'error', 'data' );

    redirect( 'home' );
}

#7
[eluser]adela[/eluser]
[quote author="CroNiX" date="1410894900"]It is better to use the session database driver as it can store an infinite amount of session data, whereas cookies have a hard limit, which is different for each browser, but it's safe to assume 2kb max data if using cookies. If you go over that, it could break the session depending on the browser. If you encrypt the session data, it also takes a lot more space to store it.[/quote]

What you mean by 2 KB? I've read on few different places and even on the EllisLab Session guide that it's around 4 KB.

Here is what its said on the Session codeigniter guide:

"Cookies can only hold 4KB of data, so be careful not to exceed the capacity. The encryption process in particular produces a longer data string than the original so keep careful track of how much data you are storing."

So, is it actually 2 or 4 KB is safe too ? My session cookie after encryption is around 3 KB.

#8
[eluser]InsiteFX[/eluser]
Cookies hold 4kb what CroNix is saying is that to be safe only store 2kb, there is a lot of over head
in using cookies like encryption etc;

Database sessions are also more safe then cookies, the user_data can also be set to
text
mediumtext
longtext

for different storage sizes.

#9
[eluser]adela[/eluser]
[quote author="InsiteFX" date="1412037391"]Cookies hold 4kb what CroNix is saying is that to be safe only store 2kb, there is a lot of over head
in using cookies like encryption etc;

Database sessions are also more safe then cookies, the user_data can also be set to
text
mediumtext
longtext

for different storage sizes.
[/quote]

I set it like that, so my sessions are now stored into the database .. but why it is storing an array user_data too?

Example: (this is stored in the user_data column of the sessions table)

Code:
a:5:{s:9:"user_data";s:0:"";s:6:"logged";b:1;s:8:"users_id";s:3:"507";s:8:"teams_id";s:2:"78";s:15:"leader_teams_id";s:2:"78";}

as you can see there is empty user_data array in the actual cookie, why is that and is something i should worry about? Sometimes its included into the cookie and sometimes its not included. Let me know please ...

I am only storing logged, users_id, teams_id and leader_teams_id
So, what is this user_data in the start? As I stated sometimes its not included and its weird.

#10
[eluser]InsiteFX[/eluser]
Because CI serializes the user_data array before storing it into the database.

It un-serializes it when it is read from the database.

Look at the bottom of the Session class and you will see the two methods.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.