I have a codeigniter application where the session is set when a user logs in and is shown the user dashboard with somewhat like the code below:
public function checkLogin()
{
$username = $this->input->post("username");
$password = $this->input->post("password");
$userId = $this->ModelLogin->checkLogin($username, $password);
if ($userId) {
$session_data = array(
'is_logged_in' => true,
'userId' => $userId,
);
$this->session->set_userdata($session_data);
redirect("/user/dashboard");
} else {
$this->session->set_flashdata('login_error', "Incorrect username/password");
}
}
Now I am to fix a Session Fixation issue by regenerating the Session ID before authenticating the user. When I include the session_regenerate_id()
or even the codeigniter specific $this->session->sess_regenerate()
function, it works within this function but as soon as it is redirected to the /user/dashboard
the session data gets blank.
I am adding the regenerate line just before the $this->session->set_userdata($session_data);
. The above code works perfectly without the regenerate.
Additionally, I am using the database session driver. When I switch to the files driver, even the regenerate logic works perfectly. It's just something with the database driver (I feel) is causing this issue.
I fixed this after days of trial and error.
This was present in Codeigniter 3.0.x that too on PHP 7.x (which was what my application was running on)
After extensive search, I stumbled upon a Codeigniter changelog that mentioned a regression bug fix in some later versions (3.0.x) of Codeigniter and that's when I started scanning through the changes in the Codeigniter session library and the database driver where I found this snippet:
// PHP7 will reuse the same SessionHandler object after
// ID regeneration, so we need to explicitly set this to
// FALSE instead of relying on the default ...
$this->_row_exists = FALSE;
Just when I brought this only line change into my existing codeigniter system, the problem was solved instantly!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.