stackoom
  简体   繁体   中英

Session getting lost on regenerating session id in codeigniter

 原文  2019-03-22 11:57:16       php/ codeigniter

Question

I have a codeigniter application where the session is set when a user logs in and is shown the user dashboard with somewhat like the code below: 

public function checkLogin()
{
    $username = $this->input->post("username");
    $password = $this->input->post("password");

    $userId = $this->ModelLogin->checkLogin($username, $password);

    if ($userId) {
        $session_data = array(
            'is_logged_in' => true,
            'userId' => $userId,
        );

        $this->session->set_userdata($session_data);
        redirect("/user/dashboard");
    } else {
        $this->session->set_flashdata('login_error', "Incorrect username/password");
    }
}

Now I am to fix a Session Fixation issue by regenerating the Session ID before authenticating the user. When I include the session_regenerate_id() or even the codeigniter specific $this->session->sess_regenerate() function, it works within this function but as soon as it is redirected to the /user/dashboard the session data gets blank.

I am adding the regenerate line just before the $this->session->set_userdata($session_data); . The above code works perfectly without the regenerate.

Additionally, I am using the database session driver. When I switch to the files driver, even the regenerate logic works perfectly. It's just something with the database driver (I feel) is causing this issue.

1 answers

solution1
 0  2019-04-06 11:44:04

I fixed this after days of trial and error.

This was present in Codeigniter 3.0.x that too on PHP 7.x (which was what my application was running on)

After extensive search, I stumbled upon a Codeigniter changelog that mentioned a regression bug fix in some later versions (3.0.x) of Codeigniter and that's when I started scanning through the changes in the Codeigniter session library and the database driver where I found this snippet: 

// PHP7 will reuse the same SessionHandler object after
// ID regeneration, so we need to explicitly set this to
// FALSE instead of relying on the default ...
    $this->_row_exists = FALSE;

Just when I brought this only line change into my existing codeigniter system, the problem was solved instantly!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Working with regenerating session id in PHP/CodeIgniter regenerating session id Properly regenerating session ID's can not understand regenerating session id CodeIgniter 3 session lost on regenerate session id with Memcached driver only Regenerating Session / Destroying Session PHP Regenerating session ID on login / out not working Codeigniter userdata lost after session id refresh [CodeIgniter 3.0] Laravel login without regenerating session id Is regenerating the session ID after successful login sufficient to prevent session fixation?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM