I am facing several issues relating to Sessions in CodeIgniter on a website with login functionality:
Two users have reported today an issue where after sign-in, they are redirected to the home page but they are not signed in. If they refresh the page, they are signed in. In addition, if the click on logout, they are not logged out. If they refresh the page afterwards, they are logged out. This issue hasn't shown up before (the website has been up for nearly a year), and is not showing up on my username/machine.
I have noticed duplicate records (same IP), in the sessions table in the database.
Some users have reported being logged into another person (message at top says Welcome X using another person's name). I have quadruple checked the code for any issue that might actually make a user log into another user's name, but couldn't find any hole.
Any help and tips to resolve these issues would be highly appreciated. Here are my session settings:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
I have found these settings work best so far. Below is the login controller function:
public function index()
{
// if user is already logged in, redirect him to main
if ($this->users_model->check_if_logged_in())
redirect(site_url('gmat/' . format_gmat_url()));
$this->load->library('form_validation');
$this->form_validation->set_error_delimiters('', '');
$this->form_validation->set_message('required', 'The credentials you entered are invalid.');
$this->form_validation->set_rules('signin_email', 'Email', 'trim|required|max_length[100]|xss_clean');
$this->form_validation->set_rules('signin_pswd', 'Password', 'trim|required|max_length[25]|md5|xss_clean');
$this->form_validation->set_rules('signin_auth', 'Authorization Code', 'trim|required|max_length[100]|xss_clean');
if ($this->form_validation->run() == FALSE)
{
$this->session->set_flashdata('error_msg', 'Invalid login, please try again.');
redirect(site_url('gmat/' . format_gmat_url() . 'sign_up'));
}
else
{
// Check if user is valid
$u_email = $this->input->post('signin_email');
$u_password = $this->input->post('signin_pswd');
$u_auth = (format_gmat_url() == 'lev2' && $this->input->post('signin_auth') == 0 ? 'notvalid' : $this->input->post('signin_auth')); // for level 2 sign in
$login_result = $this->users_model->check_login($u_email, $u_password, 0, $u_auth);
if ($login_result['success'] == TRUE)
{
redirect(site_url('gmat/' . format_gmat_url()));
}
else
{
$this->session->set_flashdata('error_msg', $login_result['error_msg']);
redirect(site_url('gmat/' . format_gmat_url() . 'sign_up'));
}
}
}
The $u_auth and anything relating to "level 2 sign in" grants logging in users access to another "sub-site". The login page for the main site does not use anything relating to it or to signing in with an authentication code.
The model function check_login:
public function check_login($email, $password, $admin = 0, $auth_code = 0)
{
$login_result = array('success' => FALSE, 'error_msg' => '');
$this->load->model('users_model');
$user_condition = "u_email = '" . $email . "' AND u_password = '" . $password . "' AND u_authorized = '' AND u_active = 1";
$user_condition .= ($admin == 1 ? " AND u_admin = 1" : "");
$user_condition .= ($auth_code != 0 ? " AND u_access_level2 = 1" : "");
$user = $this->users_model->get_db_users($user_condition);
$u_logged_in_level2 = FALSE;
if(count($user) == 1)
{
if ($auth_code != 0 || $auth_code != '0')
{
$this->load->model('settings_model');
// Signing in on level 2, check for authorization code
$settings = $this->settings_model->get_db_settings("s_code = 'level_2_authorization'");
if ($settings[0]['s_value'] != $auth_code)
{
$login_result['success'] = FALSE;
$login_result['error_msg'] = 'Invalid authorization code.';
return $login_result;
}
else
{
$u_logged_in_level2 = TRUE;
}
}
$login_result['success'] = TRUE;
$this->session->sess_destroy();
$this->session->sess_create();
// Create session data
$data = array(
'user_id' => $user[0]['u_id'],
'user_email' => $email,
'user_first_name' => $user[0]['u_first_name'],
'user_family_name' => $user[0]['u_family_name'],
'user_father_name' => $user[0]['u_father_name'],
'user_mobile' => $user[0]['u_mobile'],
'user_admin' => $user[0]['u_admin'],
'access_level2' => $u_logged_in_level2,
'logged_in' => TRUE
);
$this->session->set_userdata($data);
}
else
{
$login_result['error_msg'] = 'Invalid login, please try again.';
}
return $login_result;
}