A warning with using sess_match_ip for sessions

[eluser]Lone[/eluser]
When I first saw the config option of 'sess_match_ip' in the config I though "Awesome, this would reduce the incident of session hi-jacking as you need to have the same IP".

Turns out it wasn't such a great idea to use - had a client who kept on loosing their session details and wouldn't persist over multiple page requests. After a bit of investigating I worked it down to that their IP address was changing every few requests (infact my mobile phone does this as well) - something I didn't think really happened. Although looking at PHPsec.org it isn't really worth checking for an IP:

It is unwise to rely on anything at the TCP/IP level, such as IP address, because these are lower level protocols that are not intended to accommodate activities taking place at the HTTP level. A single user can potentially have a different IP address for each request, and multiple users can potentially have the same IP address.

But after changing the $config['sess_match_ip'] to FALSE the issue was gone - so for anyone having similar problems with people logging out randomly be certain to check this out!


A note for people using DB Session

To be honest the issue actually persisted for me after even after changing this setting to FALSE when using the DB Session Library from the Wiki (nb. change to the new DB2 Session Library). After doing some looking into the code I saw that this setting was being ignored and the following query run regardless:

Code:

$this->CI->db->where('ip_address', $this->CI->input->ip_address());

So be certain to change this to:

Code:

if ($this->CI->config->item('sess_match_ip') == TRUE) {
    $this->CI->db->where('ip_address', $session['ip_address']);
}