Just wanted to give back to the community on an issue that’s driven me crazy for weeks. Hopefully I can save someone else a headache.

If you’re loading resources dynamically on a page (images, ajax requests, etc.), be careful about passing them in through CI’s sessions.  If it happens to trigger the sess_update function in the request (based on the config “sess_time_to_update” value), any subsequent requests could be passing in the wrong cookie information and will subsequently destroy any reference to the newly updated session.

Here was my situation:
- Profile pictures ran through CI to grab the image path from a database (I know, I know—this isn’t the most optimized solution… I’m working on that)
- Session library was autoloaded (and sessions were stored in database)
- If there were multiple profile pictures on the page (which there usually are for any sort of people list…), it opened up this particular vulnerability

For example, if there were 40 profile pictures on a page, the browser won’t load them all at once due to browser simultaneous request limits (FireFox defaults to 6 or so, if I remember correctly…).

If the time_to_update (for me, 5 minutes) had passed on one of the first pictures, the browser was still passing in the old ci_session cookie for the remaining pictures.  This cookie had the old session_id stored with it, which was no longer to be found in the database.  This triggered a sess_destroy call, and the user was randomly logged out of the site (as I also store the login information in the session).

My solution to this was to stop autoloading the session class in the profile picture loads. I tried that, but found two other potential vulerabilities:
1) Refreshing the page before the browser had set the new cookie (rare, but I hate the open door…)
2) Multiple simultaneous AJAX calls (particularly within less than a second) could return in unpredictable orders, and yup—you guessed it—same problem

I ended up disabling the session_id updates, as I’m not developing a banking site, and encrypted cookies are plenty security for my needs.

So, if CI is randomly dropping the session, you might be running into the same issue.

Thanks,
Landon Springer

EDITED: 10-05-2010
Forgot the define…

InsiteFX

That’s very similar to what I’m experiencing, but I’m not using AJAX. If you (or anyone here) has a moment to look at my thread, I would be most grateful.

View Thread Here

I am in a state of panic here, so any assistance you may be able to provide would be fantastic.

InsiteFX - 04 November 2010 12:23 AM

// place at the bottom of application/config/constants.php
// Define Ajax Request
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');

// save as application/libraries/MY_Session
class MY_Session extends CI_Session {
   /*
    * Do not update an existing session on ajax calls
    *
    * @access    public
    * @return    void
    */
    public function sess_update()
    {
        if ( ! IS_AJAX)
        {
            parent::sess_update();
        }
    }

    function sess_destroy()
    {
        parent::sess_destroy();

        $this->userdata = array();
    }
} 

EDITED: 10-05-2010
Forgot the define…

InsiteFX

Subscribed just to thank you, just what I needed !