EllisLab text mark
Advanced Search
     
Native_session not working correctly
 
xeron
Posted: 27 June 2007 07:22 AM   [ Ignore ]
Avatar
Joined: 2006-09-27
4 posts

hi

i’m getting crazy with this session library:

http://codeigniter.com/wiki/Native_session/

it is working, but sometimes when a user is inactive for some minutes and he refreshes the page, he appears to be logged in as another user.
i’m using email addresses as usernames, and when this problem occurs the new username is truncated near the end

i’ll try to explain it better:

> user logged in as .(JavaScript must be enabled to view this email address)
> user gets inactive
> user is active again, but now logged in as someoneelse@mail

here is my session library: CLICK

first i was using CI 1.5.1 with UserAuth from this thread: http://ellislab.com/forums/viewthread/45880/
after the problem occured i tried to use native_session from the wiki
i renamed CI_Session to CI_Native_session, to stay compatible with the rest of the code, because i use native_session->flashdata a lot

config.php

$config['sess_expiration'7200

login validation on every page:

if (!$this->userauth->check('',TRUE) || !$this->userauth->loggedin()) redirect('users/login'); 

admin area:

$this->userauth->set_allow('@admin');
        if (!$this->userauth->check(''TRUE)) {
            redirect();
        

i’ve just had users who were logged in as admin after this bug occured, and i don’t know where the problem could be :(

please, help me!
 
Flayra
Posted: 27 June 2007 08:48 AM   [ Ignore ]   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2007-03-02
11 posts

Is he logged OUT or logged in as another user. There has been some issues with saving data in specific cases, because of the ‘session_write_close()’ at the end of the session run, but I’ve never heard of it using another session suddenly - it seems to be an issue with your design, not the library.

 Signature 

- Dragon Silhouette - Rebecca Kemp
- Conceptivator.com
- Hamachidota.com
 
xeron
Posted: 27 June 2007 09:42 AM   [ Ignore ]   [ # 2 ]   [ Rating: 0 ]
Avatar
Joined: 2006-09-27
4 posts

at once he is logged in as another user, and can act as that user with that users permissions
what could be wrong with my design? the only thing i do with the session is logging in, and checking the login state as posted above %(
 
xeron
Posted: 28 June 2007 01:46 PM   [ Ignore ]   [ # 3 ]   [ Rating: 0 ]
Avatar
Joined: 2006-09-27
4 posts

omg, i found some mistakes in my web app:
first of all, the username database field of the remember_me lib was limited to 16 characters, thats because usernames (in my case the email addresses) were truncated when they were idle !

and in the userauth lib, line 176

// Expire an inactive login
if ( $this->obj->native_session->userdata('loggedin') ) 
    $expire_time time() - $this->obj->config->item('login_expiration');
    if ( $this->obj->native_session->userdata('last_activity') <=  $expire_time{
        log_message('debug'"Userauth: check: inactive login, expired");
        $this->logout();
    }

the config value “login_expiration” was not defined in the config (it also doesnt exist in the original userauth package)
i changed it to session_expiration

i also switched over to db_session

i hope that this all solves the problem smile
 
xeron
Posted: 02 July 2007 10:38 AM   [ Ignore ]   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2006-09-27
4 posts

the problem still exists, users get sessions of other users (different ips/browsers, ip/browser check enabled in db_session class)

same problem as reported in this post: http://ellislab.com/forums/viewthread/45880/P270/#224590
 
frenzal
Posted: 02 July 2007 10:47 AM   [ Ignore ]   [ # 5 ]   [ Rating: 0 ]
Avatar
Joined: 2006-07-23
148 posts

i think i had something silly in my database like a user without email or username, so first time visitors without a cookie ended up logged in as that user

 Signature 

running man webdevelopment