Just wanted to give back to the community on an issue that’s driven me crazy for weeks. Hopefully I can save someone else a headache.
If you’re loading resources dynamically on a page (images, ajax requests, etc.), be careful about passing them in through CI’s sessions. If it happens to trigger the sess_update function in the request (based on the config “sess_time_to_update” value), any subsequent requests could be passing in the wrong cookie information and will subsequently destroy any reference to the newly updated session.
Here was my situation:
- Profile pictures ran through CI to grab the image path from a database (I know, I know—this isn’t the most optimized solution… I’m working on that)
- Session library was autoloaded (and sessions were stored in database)
- If there were multiple profile pictures on the page (which there usually are for any sort of people list…), it opened up this particular vulnerability
For example, if there were 40 profile pictures on a page, the browser won’t load them all at once due to browser simultaneous request limits (FireFox defaults to 6 or so, if I remember correctly…).
If the time_to_update (for me, 5 minutes) had passed on one of the first pictures, the browser was still passing in the old ci_session cookie for the remaining pictures. This cookie had the old session_id stored with it, which was no longer to be found in the database. This triggered a sess_destroy call, and the user was randomly logged out of the site (as I also store the login information in the session).
My solution to this was to stop autoloading the session class in the profile picture loads. I tried that, but found two other potential vulerabilities:
1) Refreshing the page before the browser had set the new cookie (rare, but I hate the open door…)
2) Multiple simultaneous AJAX calls (particularly within less than a second) could return in unpredictable orders, and yup—you guessed it—same problem
I ended up disabling the session_id updates, as I’m not developing a banking site, and encrypted cookies are plenty security for my needs.
So, if CI is randomly dropping the session, you might be running into the same issue.