php - CodeIgniter 2.2-Stable Session Keeps On Expiring -
this has been common issue on last 2-3 years appears, fixes i've been able wrestle don't seem work. using ci 2.2-stable (pulled of oct 29/2014) they've been able prevent session expiring frequently?
this how i'm setting , checking session:
login
// user session data $user_session = array( 'user' => $user, 'start_time' => $_server['request_time'] ); // create user session $this->session->set_userdata( $user_session );
my_controller inherited controllers redirected if session not found:
function __construct() { parent::__construct(); // perform base check make sure user authenticated if( !$this->session->userdata( 'user' ) ) { // if not logged in return server response 403 allowing redirect // on client-side using angularjs interceptor show_error('no valid authenticated session', 403); } } // end function __construct
so i'm checking existence of session data, , not using session_id directly. through stubbing session.php library, seems enter sess_read() line 135, , have no issues until checks num_rows() returned query of database on line 235, destroys session.
update 1
it appears similar issue , summed here, still doesn't seem solve issue mentioned here, mentions changing core. solution doesn't work single page applications, since session expire server requests being ajax.
update 2
i added temporary solution below if has suggestions or critiques, same issue still occurs, less often. makes sense since outgoing request marked update session updates cookie, may have simultaneous requests being sent along side it, don't have right cookie since updates prior them getting processed. appears have reduced frequency small bit. frequency further reduced possibly setting heart beat keep alive request request updates session, still wouldn't fix issue occurring.
temporary solution
using fix suggested in update, , leveraging angularjs, i'm running client-side. ended adding interceptor contains $timeout, attaches custom header on request every 1 hour update session, , added check header suggested fix non-spas, , seems work.
fix client-side
.factory('keepalive', ['$q', '$injector', '$timeout', function( $q, $injector, $timeout ) { var ticking = false; var service = { request: function( config ) { if( ticking === false ) { // set ticking block keep-alive ticking = true; // set timeout unblock keep-alive on expiry $timeout( function() { ticking = false; }, 6300000 ); // 105 minute time out // add keep-alive header out-going request config.headers = { 'codeigniter': 'keep-alive' }; } return config; } } return service; }])
fix on server-side
function sess_update() { // check ajax request , keep-alive header before updating session if( !$this->ci->input->is_ajax_request() && isset(apache_request_headers()['codeigniter']) ) { return parent::sess_update(); } }
i using ci 2.2 , sessions working perfectly, though had difficulties regarding session expiration too:
the 1 important consideration ci regenerates session_id
prevent session fixation attacks. not use session_id directly in app, consider internally used ci. generate id (this first generated session_id) , store in session user data. session data remains long session not expired.
if (!isset($this->session->userdata('sid'))) $this->session->set_userdata('sid', $this->session->userdata('session_id'));
there 2 settings regarding expiration of sessions:
sess_expiration
: expiration of whole sessionsess_time_to_update
: expiration , regeneration of session_id
if storing sessions in database, session_id updated there too.
Comments
Post a Comment