Codeigniter session bugging out with ajax calls
My CodeIgniter app uses the session library and saves data to the DB.
I've been having some problems where blank sessions are created after a certain ajax call.
Upon investigating, it seems that there were 2 simultaneous functions calls that fired off that require a session validation. One would fail and the other would be fine.
I was able to fix this by not having them fire off simultaneously. But I still don't understand the REASON why it fails. Does it have to do with one call updating the user cookie and the 2nd call invalidating? Or maybe when reading the DB it dies somehow?
I looked over the Session core class a bit and have not found any clues to the cause.
If any one had the same problem before I would appreciate any advice on how to debug or what the cause is.
Thanks!
EDIT:
I originally said there was a 408 status return. That was an unrelated case.
This is the function that fires off MyVar.refresh() in parallel:
function (event)
{
var self$ = this.a$;
var uid = this.b$.val();
var tid = this.c$.val();
var jqxhr = $.post('/controller1/index',{'uid':uid,'tid':tid,'action':true},function(re)
{
if(re.message != 'success')
{
MyVar.alert('<span class="msg_error sprite"></span>' + re.error);
MyVar.refresh();
}
},'json');
MyVar.refresh();
return stopDefault(event);
};
POSSIBLE SOLUTIONS:
Found this: http://codeigniter.com/forums/viewthread/102456/
Apparently it doesn't play well with ajax. One solution is to disallow session update if it is an ajax call; only problem is that our site is mostly built with ajax..
Also, just lowered the sess_time_to_update to something very frequent and ajax was doing fine. Also did a browser refresh and it did not timeout. Not sure why if the session ID has already changed upon an ajax call and browser cookies were never updated.
Solution 1:
Try this
<?php
/**
* ------------------------------------------------------------------------
* CI Session Class Extension for AJAX calls.
* ------------------------------------------------------------------------
*
* ====- Save as application/libraries/MY_Session.php -====
*/
class MY_Session extends CI_Session {
// --------------------------------------------------------------------
/**
* sess_update()
*
* Do not update an existing session on ajax or xajax calls
*
* @access public
* @return void
*/
public function sess_update()
{
$CI = get_instance();
if ( ! $CI->input->is_ajax_request())
{
parent::sess_update();
}
}
}
// ------------------------------------------------------------------------
/* End of file MY_Session.php */
/* Location: ./application/libraries/MY_Session.php */
The problem is in the sess_update function of the session class, that generates a new session_id after X seconds. Every page have a session_id, if the session_id expires before the ajax call is made, that call will fail.
Create a php file in /application/libraries/ with the name MY_Session (or whatever prefix you set), paste this code there and that is all. This function will override the sess_update function in the session class, checking on every request if that request was made by ajax, skipping the sess_update function.
Its a bad idea set the sess_expiration at higher values. This is a security feature that will protect you against session hijaking
PD: i'm not very fluent in english, if you dont understand something just let me know.
Solution 2:
Until it is merged into the stable branch, the solution (finally!) is to use Areson's commit 245bef5 combined with the database schema:
CREATE TABLE IF NOT EXISTS `ci_sessions` (
session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(45) DEFAULT '0' NOT NULL,
user_agent varchar(120) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
user_data text NOT NULL,
prevent_update int(10) DEFAULT NULL,
PRIMARY KEY (session_id),
KEY `last_activity_idx` (`last_activity`)
);
For more information, read pull 1283 comments top-to-bottom.
Solution 3:
We had this problem, it was due to the sess_time_to_update parameter in config.php. CI use this to update the session ID to a new one. If the change happen in an ajax call, CI sends a new cookie to tell the browser the new session ID. Unfortunatly, browsers seems to ignore this cookie and keep the old session ID.
We fixed it by setting the sess_time_to_update to sess_expiration in the config.
$config['sess_time_to_update'] = $config['sess_expiration'];
Solution 4:
I had this problem too in codeigniter version 2.1.3, when i use the following configuration:
$config['sess_use_database'] = TRUE;
$config['sess_time_to_update'] = 300;
I think it has nothing to do with ajax requests but rather with a bug in codeigniter.
It seems that when you store the session in the database a logout is forced after 300 seconds. After 3 hours of searching and analyzing i found a clear bug in the code and a unclear one as well, i've solved the bug as follows:
Create a new file: MY_Session.php in the application/libraries folder
Add the following code to it:
<?php
// fixed by sirderno 2013
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class MY_Session extends CI_Session
{
public function __construct()
{
parent::__construct();
}
/**
* Update an existing session
*
* @access public
* @return void
*/
public function sess_update()
{
// We only update the session every five minutes by default
if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
{
return;
}
// Save the old session id so we know which record to
// update in the database if we need it
$old_sessid = $this->userdata['session_id'];
$new_sessid = '';
while (strlen($new_sessid) < 32)
{
$new_sessid .= mt_rand(0, mt_getrandmax());
}
// To make the session ID even more secure we'll combine it with the user's IP
$new_sessid .= $this->CI->input->ip_address();
// Turn it into a hash
$new_sessid = md5(uniqid($new_sessid, TRUE));
// Update the session data in the session data array
$this->userdata['session_id'] = $new_sessid;
$this->userdata['last_activity'] = $this->now;
// _set_cookie() will handle this for us if we aren't using database sessions
// by pushing all userdata to the cookie.
$cookie_data = NULL;
// Update the session ID and last_activity field in the DB if needed
if ($this->sess_use_database === TRUE)
{
// set cookie explicitly to only have our session data
$cookie_data = array();
foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
{
$cookie_data[$val] = $this->userdata[$val];
}
$cookie_data['session_id'] = $new_sessid; // added to solve bug
//added to solve bug
if (!empty($this->userdata['user_data']))
$cookie_data['user_data'] = $this->userdata['user_data'];
$this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));
}
// Write the cookie
$this->_set_cookie($cookie_data);
}
/**
* Write the session cookie
*
* @access public
* @return void
*/
public function _set_cookie($cookie_data = NULL)
{
if (is_null($cookie_data))
{
$cookie_data = $this->userdata;
}
// Serialize the userdata for the cookie
$cookie_data = $this->_serialize($cookie_data);
if ($this->sess_encrypt_cookie == TRUE)
{
$cookie_data = $this->CI->encrypt->encode($cookie_data);
}
else
{
// if encryption is not used, we provide an md5 hash to prevent userside tampering
$cookie_data = $cookie_data.md5($cookie_data.$this->encryption_key);
}
$_COOKIE[ $this->sess_cookie_name ] = $cookie_data; // added to solve bug
$expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time();
// Set the cookie
setcookie(
$this->sess_cookie_name,
$cookie_data,
$expire,
$this->cookie_path,
$this->cookie_domain,
$this->cookie_secure
);
}
}
?>
The clear bug is that it didn't store the 'user_data' in the updated cookie. The unclear bug is that it executes the function sess_read() in file Session.php after updating the new session id, i don't know why this happens, because i expected that it executes before updating and not after like it's written in the constructor of Session.php. So the sess_read() function starts reading the old cookie information with the old session id and wants to compare it with session id in the database, but after the session_id update it's not there anymore in the database, so this causes the logout.
This line of code in function sess_read of the Session.php file is responsible for reading the old cookie information:
$session = $this->CI->input->cookie($this->sess_cookie_name);
So in function _set_cookie of MY_Session.php i added this line of code to update the old cookie information of the server with the new one:
$_COOKIE[ $this->sess_cookie_name ] = $cookie_data; // added to solve bug
With this fix the 'sess_time_to_update' in combination with 'sess_use_database' should work fine. This is a plain and simple bug fix.