10

I'm working on a website which is created with CodeIgniter 2.1.0.

I've noticed sometimes when I reload a page couple of times or open a couple of pages very fast or when I have an error in the code (these errors are not related to sessions) I get logged out.

This website is using a library called Ion_authand for identifications:

public function logged_in()
{
  $identity = $this->ci->config->item('identity', 'ion_auth');
  return (bool) $this->ci->session->userdata($identity);
}

Is there a bug or something that I should know about?

$config['sess_cookie_name']  = 'cisession';
$config['sess_expiration']  = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name']  = 'cisession';
$config['sess_match_ip']  = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;

On this website, sessions get updated almost on every page.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
max
  • 3,614
  • 9
  • 59
  • 107
  • There is a known problem that can cause the Content-Length of HTML headers to become bloated. It occurs because CI sends the entire "Set-Cookie" header each time a requests is made to `set_userdata()` or `unset_userdata()`. This generally isn't a problem, however if your users are behind a strict proxy (large company or educational institution) it could well cause the session to fail completely. https://github.com/EllisLab/CodeIgniter/issues/1345 – Jeemusu May 24 '13 at 16:01
  • There's also a known bug regarding sessions and ajax calls. – Aken Roberts May 24 '13 at 18:20
  • @Cryode that could be it .... is there any fix for that ? – max May 24 '13 at 18:39
  • A temporary work-around is to avoid updating the session if it's an ajax request, but that has its own caveats sometimes. [See this SO question/answers](http://stackoverflow.com/questions/7980193/codeigniter-session-bugging-out-with-ajax-calls), it will give you a couple "solutions", and has links to CI's GitHub issues with lots of discussion. – Aken Roberts May 24 '13 at 18:50

2 Answers2

10

Here is what I found:

There is a bug in the session library of CodeIgniter which destroys the session with rapid requests.

Here you can find more about this bug:

https://github.com/EllisLab/CodeIgniter/issues/154

This bug still exist in the latest stable version which is 2.1.3.

I've fixed this by replacing my session library with the one from CI3-DEV from GitHub:

https://github.com/EllisLab/CodeIgniter/blob/b211adee89f5fd2192051e9c0826146bd150f469/system/libraries/Session.php

And putting a long sess_expiration and sess_time_to_update in my configuration ... mine are 86400 and 86500.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
max
  • 3,614
  • 9
  • 59
  • 107
  • I'll give this a shot.. this bug should be fixed by EllisLabs really.. touch wood they start getting back onto it – Zabs Oct 09 '13 at 10:54
  • This is *still* an issue in 2.1.4 which is baffling. Initially I tried simply `return`ing immediately from `sess_update()`, but alas, that doesn't work, even with a long `sess_time_to_update`. Thanks for your answer, I'm hoping it'll help. – PaulSkinner Nov 05 '13 at 15:15
  • @PaulSkinner it's a bit late but put a long sess_expiration and sess_time_to_update in your config .... mine are 86400 and 86500 – max Mar 08 '14 at 18:05
7

CodeIgniter saves session data in cookies. If session data has any special character which unsets the cookie, the session is also destroyed.

It also creates few more problem of size limit. Cookie can save a limited size of data depending upon the browser. If you try to store more data in a CodeIgniter session, and as CodeIgniter tries to save it in cookie, it may not save more than that limit.

Also as the cookie is sent over the network, it unnecessarily adds traffic on network. All session data should not be saved in cookie.

It's better to use a native session library. It uses PHP's native session.

https://github.com/EllisLab/CodeIgniter/wiki/Native-session

or

https://github.com/EllisLab/CodeIgniter/wiki/PHPSession

You can compare both.

Please refer the CodeIgniter session documentation for how CodeIgniter stores session data.

https://www.codeigniter.com/user_guide/libraries/sessions.html

Stack Programmer
  • 679
  • 6
  • 18
vishal
  • 3,993
  • 14
  • 59
  • 102
  • are you saying that it saves the session data in a actual cookie ? on the server ? ... i thought it saves them in the database ? – max May 27 '13 at 15:00
  • yes, by default CI stores session data in Cookies only.. You can additionally store it in database as well. But still it will save in Cookie+database. Please refer http://ellislab.com/codeigniter/user-guide/libraries/sessions.html – vishal May 27 '13 at 17:27
  • thanx , i knoew that but as you can see in the settings i have `$config['sess_use_database'] = TRUE` so it's not the cookie thing ... im going to test the Native session though and see what's going to happen – max May 27 '13 at 18:14
  • about native session ... i'm confused , it says `system/application/libraries/native_session.php` .. in my system directory i dont have a `application` dir ... should i create it ? or does it refer to the `application` directory in the root of codeigniter ? – max May 27 '13 at 18:32
  • even though $config['sess_use_database'] = TRUE, CI will store it to cookie and database both. – vishal May 27 '13 at 18:50
  • you can try https://github.com/EllisLab/CodeIgniter/wiki/PHPSession also. – vishal May 27 '13 at 18:53
  • You can simply place the library file in application/libraries – vishal May 27 '13 at 18:54
  • I had a very similar problem, just not with CI instead Kohana, and the two system are very very similar. The problem was, the session setting didn't applied for the system, so basically I had to change the php.ini. I think here there is the same problem. You got kicked out, cause there is a cron job what goes through the directory, where the sessions are stored, usually in every half an hour, and delets the files. I would really check, with phpinfo, that the desired setting as applied or not. – ghostika May 29 '13 at 05:34