• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CI Session cookie expiry / cookie_lifetime

#1
Sad 
I know, I know sessions again... Huh

I have been pulling my hair out over a session bug I have been having for ages but could not make it happen on demand and it seems random.

However I think I may have got to the bottom of it FINALLY!!! but now I have a quoestion about weather this is a problem with the way CI 3 handles sessions... and if the CI Session class needed updating...

Let me give you a brief background so I can better explain:

I have session set to store in db and conf as follows:

$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'lf_session';
$config['sess_expiration'] = 1920; // 1800 secs (30 mins) + 120 secs (to ensure session still active when auto logout)
$config['sess_save_path'] = 'lf_tbl_session';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 600; // 600 secs (10 mins)
$config['sess_regenerate_destroy'] = TRUE;

as you can see I use the sess_expiration to dictate when the session should be killed for inactivity. I have a JavaScript timer which counts down and then redirects the user and logs them out automatically, but for security I also want the session to destroy itself.

Now this has been (seemingly) working fine for a long time over a few web apps we have developed however recently I have been having trouble where for no reason the user would loose the session and have to log back in, even though they were well with the 30 mins expiry time...

Cut a long story short I have isolated the problem to this.

(On Chrome at least) I monitored the session cookie expiry / max age datetime and upon logging in it was set to 30 mins from now. Perfect. When navigating around the web app on most pages this expiry / max age datetime would be updated to a new 30 mins each time. But as I said "most" on some pages it doesn't update the expiry / max age datetime, and then if I continually refresh this page it doesn't update it...

My first through was, perhaps this only updates if you write to the session, however I quickly dismissed this as update the current users last seen time in the database and then update the user model in which I store in the session on each page request in a CI Hook. So the session is being written to on each page load?

This I where I am now stumped. I have done more digging and I see the comment in the Session.php file on line 156 which says:

// Another work-around ... PHP doesn't seem to send the session cookie
// unless it is being currently created or regenerated

However this is in a elseif with the auto-regeneration check (which I have on) so this code never gets run...

So, at the moment I have removed the else so the line 158 reads:

if (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())

and this not seems to update the cookie on every page request. However can some CI / PHP session guru tell me if this is going to cause a problem some how I dont see that it should, and I am also questioning if the CI Session.php file needs updating to something like this anyway as if you have regen on, you can still get to a point where the cookie has expired even though a page request has come in in side the "expiry limits" you have set.

Should the session expiry time in the cookie be updated on every page request, maybe this could be an option in the config eg update_expiry_on_each_page_load = TRUE (may be a bit long but you get my drift).

Anyway hopefully the dev team at CI will be able to shed some light on this, and why it is the way it is, or that this may be a weird bug and the Session.php file needed tweaking to force the cookie to update in the browser...

Thanks for your time and in advance for your help.

Ben
Reply

#2
Cookies will not write if output has already been sent to the page.
Cookies will not update unless there is a page refresh.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply

#3
Hi InsiteFX.
Sorry, but I dont understand your reply?

"Cookies will not write if output has already been sent to the page."
I dont get what you mean here, as like I said the cookie updates on most page load when I navigate round the web app its only on a few pages that it doesn't, and this is all pre anything being sent to the browser...

"Cookies will not update unless there is a page refresh."
Again like I said, once I have found one of these pages, I can refresh / re-load the page (f5) as many times as I want and the cookie expiry datetime in the browser stays the same even though in a pre-controller hook I update the session with new data which (from my understanding) should send an updated cookie to the browser with a new expiry datetime ...

Hope this clarifies the problem.

Many thanks,
Ben
Reply

#4
I know that there was a bug awhile back with cookies not updating when they were using the same name, not sure if it was ever fixed.

Are you using the latest CI ver 3.1.0 ?
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply

#5
I'm definitely not an expert on this subject, but I'll take a stab at it.

Your change to the session library probably will create problems, but, like most session problems, they'll be difficult to reproduce and rarely reported to you or the developers, and I would guess that they won't be big enough to be worthwhile.

Check through the session configuration values in your php.ini (see http://php.net/manual/en/session.configuration.php), and you may also want to check your CI config files for old settings if your site was migrated from CI2, like sess_expire_on_close, or for odd settings like cookie_lifetime (I'm not sure where this comes from, but the session library will use it).

It does look like PHP is less likely to update the cookie's expiration time if the session ID doesn't change, which means your issue is more likely to come up with larger values of sess_time_to_update (the default is 300). It would appear that an estimate for the session life on your client would be anywhere from a minimum of (sess_expiration - sess_time_to_update) to a maximum of sess_expiration. So, the smaller your sess_expiration value and the larger your sess_time_to_update value, the more likely it becomes that your users will experience issues with their cookie expiring before the session was actually supposed to expire. For users with sess_time_to_update disabled, the problem would be even worse, except that the setcookie() call is made on every request.

If there is a php.ini setting which would actually fix the problem, I would guess that it would be setting session.lazy_write to 0. The reason for this guess is that the session cookie is only storing the session ID, and the data isn't changing unless you regenerate the session ID. The description of session.lazy_write in the manual is this:
http://php.net/manual/en/session.configu...lazy-write

Quote: session.lazy_write boolean
session.lazy_write, when set to 1, means that session data is only rewritten if it changes. Defaults to 1, enabled.

This would probably be fine if you were storing session data in the cookie, but it's not a secure location to store the data, so CI uses a session handler to store the data elsewhere.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.