Thread

Hiya,

Having problems with the session cookies. I’m getting logged out when just browsing around my sites when logged in. Sometimes (quite rightly) it times out after inactivity. But other times it just logs me out randomly.

This is for a CMS so it needs to allow page inactivity for 20 mins or so (in case they are writing a long page), but then it automatically updates the page every 30 seconds anyway, so there is always activity, but I want the session to stay logged in for 20 minutes before expiring.

I need the optimum, secure configuration for the session cookies - what do people recommend?

current set up is the following:

$config['sess_cookie_name']        = 'my_session';
$config['sess_expiration']        = 1800;
$config['sess_encrypt_cookie']    = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']        = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']     = 600;

Please advise.

Are you storing a lot of session data when you get logged out? Remember there is a 4K limit, and they encrypted, so you have a lot less then you think

Do you lose the entire userdata or just the logged_in flag?

Are you storing a lot of session data when you get logged out? Remember there is a 4K limit, and they encrypted, so you have a lot less then you think

Do you lose the entire userdata or just the logged_in flag?

If it is like what Dam1an says, then you could probably use database sessions.

Hey not sure what I’m losing to be honest, I’ll have to try and find that out.

Storing is not a problem as the row is only about 1kb.

I am using DB sessions already.

Ha. Yeah, didn’t see that. That happens when you don’t actually read everything in the first post 😊

Could it be a browser problem?

Hey not sure what I’m losing to be honest, I’ll have to try and find that out.

To view you’re session data, stick the attatched profiuler in your libs directory and enable the profiler

$this->output->enable_profiler(true);

This makes it so much easier to keep track of what session data you have set when
(I can’t take credit for creating this, but I can;t remember who did)

Hmm… nice on Dam1an. This extension is quite helpful.

Hey all thanks.

Please can someone just post the optimum settings for a secure, but quite lengthy session login.

It’s for a CMS so it has to be secure but not keep logging me out every 5 minutes of inactivity. Also there are lots of AJAX calls that happen.

Thanks

hi I’m also having trouble with my logout. It does not totally destroy the session coz I did try to paste the url and it seems I can get into without entering my username and password
here’s my code

function logout()
    {
       $this->session->sess_destroy();       
        redirect('login/index');
    }

any ideas thanks

What’s your login code look like? Settings in config.php for sessions and cookies?

here’s my login

function process_login()
    {
        $username = $this->input->post('username');    
        $password = $this->input->post('password');
        
        $this->load->model('Auth', '', TRUE);
        $data['query'] = $this->Auth->CheckAuth();
        if ($data['query']->num_rows() > 0)
            {
                $row = $data['query']->row();
                $data=array(
                            'username'=> $row->username,                        
                            'logged_in'=> TRUE    );
                $data['acl']=$row->acl;
                $this->session->set_userdata($data);
                redirect('main/index');
                
                                
            }                            

        else 
        {
            $this->session->set_flashdata('message', '<div id="message">It seems your username or password is incorrect, please try again.</div>');
            redirect('login/index');
        }
    }

config.php for session settings

$config['sess_cookie_name']        = 'ci_session';
$config['sess_expiration']        = 7200;
$config['sess_encrypt_cookie']    = FALSE;
$config['sess_use_database']    = FALSE;
$config['sess_table_name']        = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']         = 300;

Thanks in Advance

Well, we’d have to see what Auth->CheckAuth() is returning.

2 ways to attack this:
1) The easiest, load up Firebug and watch the sessions tab. Login, then logout and watch for the change in session state.
2) Login, edit your process_login() method to add a print_r($data[‘query’]) statement, logout and you should go back to the process_login(). If it does, in fact, log you back in you will be able to see what was returned in $data[‘query’] and debug from there.

1) The easiest, load up Firebug and watch the sessions tab. Login, then logout and watch for the change in session state.

What? Since when did Firebug get a session tab, I installed the latest version last week and don’t have that
Also, as the sessions in CI are encrypted cookies, would it still work?

Auth->CheckAuth() returns the value of username from the database record

What? Since when did Firebug get a session tab, I installed the latest version last week and don’t have that
Also, as the sessions in CI are encrypted cookies, would it still work?

Sorry, I meant the Cookies tab. Encrypted cookies are an option that he has turned off (and of course, you would turn off if you needed to debug something like this). Personally, I leave encryption off until I go production - since it’s just a flick of a boolean, nothing else needs to change in your code.