CI 2.0.3 session heisenbug: session is lost after

2019-09-18 13:30发布

I can't seem to make any progress with this one. My CI session settings are these:

$config['sess_cookie_name']     = 'ci_session';
$config['sess_expiration']      = 0;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie']  = FALSE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']      = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent'] = FALSE;
$config['sess_time_to_update']  = 7200;
$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;

The session library is loaded on autoload. I've commented the sess_update function to prevent an AJAX bug that I've found about reading the CI forum.

The ci_sessions table in the database has collation utf8_general_ci (there was a bug that lost the session after every redirect() call and it was linked to the fact that the collation was latin1_swedish_ci by default).

It always breaks after a user of my admin section tries to add a long article and clicks the save button. The save action looks like this:

function save($id = 0){
    if($this->my_model->save_article($id)){
        $this->session->set_flashdata('message', 'success!');
        redirect('admin/article_listing');
    }else{
        $this->session->set_flashdata('message', 'errors encountered');
        redirect('admin/article_add');
    }
}

If you spend more than 20minutes and click save, the article will be added but on redirect the user will be logged out.

I've also enabled logging and sometimes when the error occurs i get the message The session cookie data did not match what was expected. This could be a possible hacking attempt. but only half of the time. The other half I get nothing: a message that I've placed at the end of the Session constructor is displayed and nothing else. In all the cases if I look at the cookie stored in my browser, after the error the cookie's first part doesn't match the hash.

Also, although I know Codeigniter doesn't use native sessions, I've set session.gc_maxlifetime to 86400.

Another thing to mention is that I'm unable to reproduce the error on my computer but on all the other computers I've tested this bug appears by the same pattern as mentioned above.

If you have any ideas on what to do next, I'd greatly appreciate them. Changing to a new version or using a native session class (the old one was for CI 1.7, will it still work?) are also options I'm willing to consider.

Edit : I've run a diff between the Session class in CI 2.0.3 and the latest CI Session class and they're the same.

1条回答
成全新的幸福
2楼-- · 2019-09-18 14:12

Here's how I solved it: the standards say that a browser shouldn't allow redirects after a POST request. CI's redirect() method is sending a 302 redirect by default. The logical way would be to send a 307 redirect, which solved my problem but has the caveat of showing a confirm dialog about the redirect. Other options are a 301 (meaning moved permanently) redirect or, the solution I've chosen, a javascript redirect.

查看更多
登录 后发表回答