Codeigniter Session Issue

0
votes

I am facing several issues relating to Sessions in CodeIgniter on a website with login functionality:

  1. Two users have reported today an issue where after sign-in, they are redirected to the home page but they are not signed in. If they refresh the page, they are signed in. In addition, if the click on logout, they are not logged out. If they refresh the page afterwards, they are logged out. This issue hasn't shown up before (the website has been up for nearly a year), and is not showing up on my username/machine.

  2. I have noticed duplicate records (same IP), in the sessions table in the database.

  3. Some users have reported being logged into another person (message at top says Welcome X using another person's name). I have quadruple checked the code for any issue that might actually make a user log into another user's name, but couldn't find any hole.

Any help and tips to resolve these issues would be highly appreciated. Here are my session settings:

$config['sess_cookie_name']     = 'ci_session';
$config['sess_expiration']      = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie']  = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']      = 'sessions';
$config['sess_match_ip']        = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update']  = 300;

I have found these settings work best so far. Below is the login controller function:

public function index()
{        
    // if user is already logged in, redirect him to main
    if ($this->users_model->check_if_logged_in())
        redirect(site_url('gmat/' . format_gmat_url()));

    $this->load->library('form_validation');

    $this->form_validation->set_error_delimiters('', '');
    $this->form_validation->set_message('required', 'The credentials you entered are invalid.');
    $this->form_validation->set_rules('signin_email', 'Email', 'trim|required|max_length[100]|xss_clean');
    $this->form_validation->set_rules('signin_pswd', 'Password', 'trim|required|max_length[25]|md5|xss_clean');
    $this->form_validation->set_rules('signin_auth', 'Authorization Code', 'trim|required|max_length[100]|xss_clean');

    if ($this->form_validation->run() == FALSE)
    {
        $this->session->set_flashdata('error_msg', 'Invalid login, please try again.');
        redirect(site_url('gmat/' . format_gmat_url() . 'sign_up'));
    }
    else
    {
        // Check if user is valid
        $u_email = $this->input->post('signin_email');
        $u_password = $this->input->post('signin_pswd');
        $u_auth = (format_gmat_url() == 'lev2' && $this->input->post('signin_auth') == 0 ? 'notvalid' : $this->input->post('signin_auth')); // for level 2 sign in

        $login_result = $this->users_model->check_login($u_email, $u_password, 0, $u_auth);

        if ($login_result['success'] == TRUE)
        {
            redirect(site_url('gmat/' . format_gmat_url()));
        }
        else
        {
            $this->session->set_flashdata('error_msg', $login_result['error_msg']);
            redirect(site_url('gmat/' . format_gmat_url() . 'sign_up'));
        }
}
}

The $u_auth and anything relating to "level 2 sign in" grants logging in users access to another "sub-site". The login page for the main site does not use anything relating to it or to signing in with an authentication code.

The model function check_login:

public function check_login($email, $password, $admin = 0, $auth_code = 0)
{
    $login_result = array('success' => FALSE, 'error_msg' => '');

    $this->load->model('users_model');

    $user_condition = "u_email = '" . $email . "' AND u_password = '" . $password . "' AND u_authorized = '' AND u_active = 1";
    $user_condition .= ($admin == 1 ? " AND u_admin = 1" : "");
    $user_condition .= ($auth_code != 0 ? " AND u_access_level2 = 1" : "");
    $user = $this->users_model->get_db_users($user_condition);

    $u_logged_in_level2 = FALSE;

    if(count($user) == 1)
    {
        if ($auth_code != 0 || $auth_code != '0')
        {
            $this->load->model('settings_model');

            // Signing in on level 2, check for authorization code
            $settings = $this->settings_model->get_db_settings("s_code = 'level_2_authorization'");

            if ($settings[0]['s_value'] != $auth_code)
            {
                $login_result['success'] = FALSE;
                $login_result['error_msg'] = 'Invalid authorization code.';
                return $login_result;
            }
            else
            {
                $u_logged_in_level2 = TRUE;
            }
        }

        $login_result['success'] = TRUE;

        $this->session->sess_destroy();
        $this->session->sess_create();

        // Create session data
        $data = array(
                'user_id' => $user[0]['u_id'],
                'user_email' => $email,
                'user_first_name' => $user[0]['u_first_name'],
                'user_family_name' => $user[0]['u_family_name'],
                'user_father_name' => $user[0]['u_father_name'],
                'user_mobile' => $user[0]['u_mobile'],
                'user_admin' => $user[0]['u_admin'],
                'access_level2' => $u_logged_in_level2,
                'logged_in' => TRUE
                );

        $this->session->set_userdata($data);
    }
    else
    {
        $login_result['error_msg'] = 'Invalid login, please try again.';
    }

    return $login_result;
}
1
phpcodeignitersession
"Some users have reported being logged into another person" That is very bad! However, looking at your CI settings, the session is binded to the IP and UA. So, for session ID, IP and UA all to be the same for multiple users would be very unlikely. You said this site has been up for nearly a year, did these issues just occur recently, like after a PHP or CI update?cryptic ツ
Thank you for your comment! The reason I have IP and UA checks set as TRUE is because of this "user logging into another user" issue. Since I set these settings to TRUE I haven't had that issue reported luckily. The issue that has occurred only recently is the 1) in my post. After some debugging, I have found that the issue is showing on IPad all the time, and the user that reported it was using a Mac. So I guess it is a Safari issue. I still haven't been able to solve it however. After logging in, there is no session data, but after refreshing the page the session data is back.PoloRM
Note however that this issue was not there before even on Mac Safari. There were no changes or update to PHP version on the server as far as I know, and I haven't touched the CI folder.PoloRM

1 Answers

1
votes

Real bad shape if users are getting logged in with somebody else's name.

Autoloading the session library will automatically create a session for the user agent whenever somebody hits your website. The point is if somebody explicitly logs into your website the same session should get updated with user data.

I think you are autoloading the session library. Change the name of your session cookie name from ci_session to cisession or something else. Remove the underscore, doesn't go well with IE (wonderful Microsoft). It helps in a lot of cases.

Please share the schema of the session table. Make sure you use varchar(255) for user_agent field. After that I don't think you would have multiple sessions in your database from the same IP and user agent.