10

I'm using ionAuth & it seems to be logging me out almost randomly? I'm using Codeigniter v2.1.4 - it logs in perfect fine however ionAuth seems to log out at random intevals, is there a way to force the session to stay active until I call the ionAuth->logout function?

My CI config looks like as follows:

$config['sess_cookie_name']     = 'cisession';
$config['sess_expiration']      = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie']  = FALSE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']      = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update']  = 600;

My ion_auth config file looks as follows:

 $config['user_expire'] = 0;
 $config['user_extend_on_login'] = FALSE;

Can anyone give me any pointers on what might be causing the issue(s)?

Zabs
  • 13,852
  • 45
  • 173
  • 297
  • are you making any ajax requests anywhere? there are issues with CIs session class & race conditions that haven't been fully addressed yet – jmadsen Oct 05 '13 at 21:23
  • I am using ajax requests - on the homepage there is ajax request that basically does a GET request to search a database table. – Zabs Oct 08 '13 at 13:55

1 Answers1

15

The cause of the problem is a session cookie rotation when an AJAX Call is performed, the proper fix was included in CodeIgniter 3

You have four options:

Cope: I faced this problem myself before without knowing exactly the cause of it. In short, I saved the promise of each XMLHttpRequest, if the HTTP status code 401 was encountered, the client side application would request the credentials in the form of a popup, and then retry the AJAX promise.

Client side with jQuery, just add this ajaxError handler:

$(document).ajaxError(function (e, xhr, settings, exception) {
    if (xhr.status == 401)
    {
        // open your popup
        $('#login-popup').modal('open');

        // attach the xhr object to the listener
        $(document).bind( "retry-xhr", {
                xhro: xhr
            },
            function( event ) {
            // retry the xhr when fired
            $.ajax( event.data.xhro );
        });
    }
});

and when you are logged back in, just call this to retry your request:

$(document).trigger('retry-xhr');

Server side, you only need to add an if in your constructor

if (!$this->session->userdata('logged_in') && $this->input->is_ajax_request())
        {
            $this->output->set_status_header('401');
            exit;
        }

This was useful because some users would leave their web app window open overnight and the session timeout would kick in. Then the users would call me about not being able to do any AJAX function, and I would have to tell them to press F5

ps. if on Angular, I have used the HTTP Auth Interceptor Module successfully

Hack: See this post, his solution is to create another field in the ci_session table and check for both cookies, so your session will still be valid after rotation.

It also explains in detail what is causing this glitch

http://www.hiretheworld.com/blog/tech-blog/codeigniter-session-race-conditions

Upgrade: Start using the next version where it's already fixed:

https://github.com/EllisLab/CodeIgniter/tree/release/3.0

Patch Replace line 346 in system/libraries/Session.php (function sess_update())

if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)

With:

if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now || $this->CI->input->is_ajax_request())
Josue Alexander Ibarra
  • 8,269
  • 3
  • 30
  • 37
  • I will try that out - is there a good guide for upgrading from v2.1.4 to v3 of codeigniter? Will I need to do a lot of workarounds for my v2 app to make it v3 compatible? – Zabs Oct 09 '13 at 10:49
  • 1
    It depends on what your application does, the biggest change in my opinion is that some functions now return **null** instead of **false**. If your app logic depends on that, you'll have a great time greping for those function names. I believe this is the most consise guide for upgrading: [Upgrade to CI 3.00](https://www.chuongduong.net/ci3/installation/upgrade_300.html) – Josue Alexander Ibarra Oct 09 '13 at 17:11
  • thanks for that - i'm going to try this shortly but either way will give u the bounty for the amount of useful information you provided - thanks again :) – Zabs Oct 14 '13 at 10:54
  • awesome =] be sure to try out the first option if you will have a business app running day in and out (where session timeout might become a problem) – Josue Alexander Ibarra Oct 14 '13 at 16:10
  • Hi Josue - could you explain where exactly i need to add this code in my CI app? I'm just a little unsure and you seem to know the score with the issue :) thanks! :) – Zabs Oct 18 '13 at 14:15
  • Ok, give me a little while and I'll make a functioning example with the 401 headers. The patch on the other hand, goes in your system/libraries/Session.php of your CI app. What it does, it adds a check to see if it's a XMLHttpRequest, if so, it exits the session rotation function. – Josue Alexander Ibarra Oct 18 '13 at 14:53