I know, I know sessions again... ![Huh]( "Huh")
I have been pulling my hair out over a session bug I have been having for ages but could not make it happen on demand and it seems random.
However I think I may have got to the bottom of it FINALLY!!! but now I have a quoestion about weather this is a problem with the way CI 3 handles sessions... and if the CI Session class needed updating...
Let me give you a brief background so I can better explain:
I have session set to store in db and conf as follows:
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'lf_session';
$config['sess_expiration'] = 1920; // 1800 secs (30 mins) + 120 secs (to ensure session still active when auto logout)
$config['sess_save_path'] = 'lf_tbl_session';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 600; // 600 secs (10 mins)
$config['sess_regenerate_destroy'] = TRUE;
as you can see I use the sess_expiration to dictate when the session should be killed for inactivity. I have a JavaScript timer which counts down and then redirects the user and logs them out automatically, but for security I also want the session to destroy itself.
Now this has been (seemingly) working fine for a long time over a few web apps we have developed however recently I have been having trouble where for no reason the user would loose the session and have to log back in, even though they were well with the 30 mins expiry time...
Cut a long story short I have isolated the problem to this.
(On Chrome at least) I monitored the session cookie expiry / max age datetime and upon logging in it was set to 30 mins from now. Perfect. When navigating around the web app on most pages this expiry / max age datetime would be updated to a new 30 mins each time. But as I said "most" on some pages it doesn't update the expiry / max age datetime, and then if I continually refresh this page it doesn't update it...
My first through was, perhaps this only updates if you write to the session, however I quickly dismissed this as update the current users last seen time in the database and then update the user model in which I store in the session on each page request in a CI Hook. So the session is being written to on each page load?
This I where I am now stumped. I have done more digging and I see the comment in the Session.php file on line 156 which says:
// Another work-around ... PHP doesn't seem to send the session cookie
// unless it is being currently created or regenerated
However this is in a elseif with the auto-regeneration check (which I have on) so this code never gets run...
So, at the moment I have removed the else so the line 158 reads:
if (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())
and this not seems to update the cookie on every page request. However can some CI / PHP session guru tell me if this is going to cause a problem some how I dont see that it should, and I am also questioning if the CI Session.php file needs updating to something like this anyway as if you have regen on, you can still get to a point where the cookie has expired even though a page request has come in in side the "expiry limits" you have set.
Should the session expiry time in the cookie be updated on every page request, maybe this could be an option in the config eg update_expiry_on_each_page_load = TRUE (may be a bit long but you get my drift).
Anyway hopefully the dev team at CI will be able to shed some light on this, and why it is the way it is, or that this may be a weird bug and the Session.php file needed tweaking to force the cookie to update in the browser...
Thanks for your time and in advance for your help.
Ben
I have been pulling my hair out over a session bug I have been having for ages but could not make it happen on demand and it seems random.
However I think I may have got to the bottom of it FINALLY!!! but now I have a quoestion about weather this is a problem with the way CI 3 handles sessions... and if the CI Session class needed updating...
Let me give you a brief background so I can better explain:
I have session set to store in db and conf as follows:
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'lf_session';
$config['sess_expiration'] = 1920; // 1800 secs (30 mins) + 120 secs (to ensure session still active when auto logout)
$config['sess_save_path'] = 'lf_tbl_session';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 600; // 600 secs (10 mins)
$config['sess_regenerate_destroy'] = TRUE;
as you can see I use the sess_expiration to dictate when the session should be killed for inactivity. I have a JavaScript timer which counts down and then redirects the user and logs them out automatically, but for security I also want the session to destroy itself.
Now this has been (seemingly) working fine for a long time over a few web apps we have developed however recently I have been having trouble where for no reason the user would loose the session and have to log back in, even though they were well with the 30 mins expiry time...
Cut a long story short I have isolated the problem to this.
(On Chrome at least) I monitored the session cookie expiry / max age datetime and upon logging in it was set to 30 mins from now. Perfect. When navigating around the web app on most pages this expiry / max age datetime would be updated to a new 30 mins each time. But as I said "most" on some pages it doesn't update the expiry / max age datetime, and then if I continually refresh this page it doesn't update it...
My first through was, perhaps this only updates if you write to the session, however I quickly dismissed this as update the current users last seen time in the database and then update the user model in which I store in the session on each page request in a CI Hook. So the session is being written to on each page load?
This I where I am now stumped. I have done more digging and I see the comment in the Session.php file on line 156 which says:
// Another work-around ... PHP doesn't seem to send the session cookie
// unless it is being currently created or regenerated
However this is in a elseif with the auto-regeneration check (which I have on) so this code never gets run...
So, at the moment I have removed the else so the line 158 reads:
if (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())
and this not seems to update the cookie on every page request. However can some CI / PHP session guru tell me if this is going to cause a problem some how I dont see that it should, and I am also questioning if the CI Session.php file needs updating to something like this anyway as if you have regen on, you can still get to a point where the cookie has expired even though a page request has come in in side the "expiry limits" you have set.
Should the session expiry time in the cookie be updated on every page request, maybe this could be an option in the config eg update_expiry_on_each_page_load = TRUE (may be a bit long but you get my drift).
Anyway hopefully the dev team at CI will be able to shed some light on this, and why it is the way it is, or that this may be a weird bug and the Session.php file needed tweaking to force the cookie to update in the browser...
Thanks for your time and in advance for your help.
Ben