Session getting lost on regenerating session id in codeigniter

Question

I have a codeigniter application where the session is set when a user logs in and is shown the user dashboard with somewhat like the code below:

public function checkLogin()
{
    $username = $this->input->post("username");
    $password = $this->input->post("password");

    $userId = $this->ModelLogin->checkLogin($username, $password);

    if ($userId) {
        $session_data = array(
            'is_logged_in' => true,
            'userId' => $userId,
        );

        $this->session->set_userdata($session_data);
        redirect("/user/dashboard");
    } else {
        $this->session->set_flashdata('login_error', "Incorrect username/password");
    }
}

Now I am to fix a Session Fixation issue by regenerating the Session ID before authenticating the user. When I include the session_regenerate_id() or even the codeigniter specific $this->session->sess_regenerate() function, it works within this function but as soon as it is redirected to the /user/dashboard the session data gets blank.

I am adding the regenerate line just before the $this->session->set_userdata($session_data);. The above code works perfectly without the regenerate.

Additionally, I am using the database session driver. When I switch to the files driver, even the regenerate logic works perfectly. It's just something with the database driver (I feel) is causing this issue.

If you are not using latest CI on PHP7, maybe you can fix the session bug like this: https://stackoverflow.com/a/56355732/3929170 — Leon Lo, May 30 '19 at 01:42

score 0 · Answer 1 · answered Apr 06 '19 at 11:44

I fixed this after days of trial and error.

This was present in Codeigniter 3.0.x that too on PHP 7.x (which was what my application was running on)

After extensive search, I stumbled upon a Codeigniter changelog that mentioned a regression bug fix in some later versions (3.0.x) of Codeigniter and that's when I started scanning through the changes in the Codeigniter session library and the database driver where I found this snippet:

// PHP7 will reuse the same SessionHandler object after
// ID regeneration, so we need to explicitly set this to
// FALSE instead of relying on the default ...
    $this->_row_exists = FALSE;

Just when I brought this only line change into my existing codeigniter system, the problem was solved instantly!

Session getting lost on regenerating session id in codeigniter

1 Answers1