Codeigniter session data lost after redirect - php

I am using codeigniter 2.1.0.
I am trying to do a register/login function using the session library in the codeigniter.
The register/login with the session library worked fine for localhost, but when I put it live and tried it, the session does not work.
My controller login works this way. I check the credentials, once ok I set my session data and redirect to another page.
$user_data = array(
'username' => $result->user_name,
'email' => $result->user_email,
'userid' => $result->user_id,
'role' => $result->user_role,
'login_state' => TRUE,
'lastlogin' => time(),
);
$this->session->set_userdata($user_data);
print_r( $this->session->all_userdata());
redirect(base_url('dashboard'));
at this point here when I print all my session data, they do print out. But at the dashboard controller side, when i attempt to print the session data out, they were not there anymore.
Any idea why? Thanks in advance for the help.


if you are working in CI 3.x and just upgraded your server php version to php 7.x
Go to system/libraries/Session/session.php at Line no 281 and replace ini_set('session.name', $params['cookie_name']); by ini_set('session.id', $params['cookie_name']);


I'm not sure what exactly is the problem. Recently I faced this too..
It was working before in my development running php7.0.
Currently it is only working in my production server running nginx and php 5.6. My development server seems to be not working and keeps on regenerate new row in sessions table. My development server is using php7.1, on homestead virtualbox development environment, usually being used for Laravel projects.
I managed to get over this by taking this step.
1) Go to system/libraries/Session/Session.php
2) Comment session_start() by adding //. We want to relocate the sessionn_start().
3) Go down to line 315 where it says Security is king, and comment out until line 351
4) Then go to your main index.php ( the root index.php )
5) Add session_start() at the top once.
6) Okay try again. Hopefully it works. My guess is that it is not working with php 7.1 and some update need to be done in this Session.php file.
My CI Version is 3.1.1


PHP 7 Upgrade - * Known SESSION / COOKIE Bug
This answer addresses the known session/cookie bug - when you upgrade to PHP7 from PHP 5.
If your CodeIgniter version is # 3.1.0 or below - and you are upgrading to PHP 7.1 - You will need to update CodeIgniter.
There is a bug with $this->session->set_userdata(); - that can be pretty annoying. It will overwrite your session as soon as you redirect or visit another page within your site structure.
Some other discussions about the bug:
https://github.com/bcit-ci/CodeIgniter/issues/4830
*Save some time and see post by See post "dyanakiev commented on Oct 23, 2016" -
"Just to confirm: Everything works perfect with 3.1.1, no more problems with sessions.
👍 Good job! 💃"
See upgrade instructions here:
https://www.codeigniter.com/use…/installation/upgrading.html
Latest CodeIgniter Download here:
https://codeigniter.com/download
*I can also confirm this as well:
Updating codeigniter to 3.1.6 fixed the session problem immediately - that had occurred after I updated server to PHP 7.1.*


In My case, after some tests (with https and http in localhost) the error comes for that issue and not having properly set the $config['cookie_secure'], so you can try changing in config.php:
$config['cookie_secure'] = FALSE; // if is not under https, or true if you use https
Cheers!


This is an addition to "edelweiss" answer but I feel like it require more attention and hence posting as answer.
CI 2.1 is infamous to have session related problems. It is better we replace the built-in Sessions.php file with the one below.
The link given by "edelweiss" is broken. The Session.php file he mentions is:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
//> makes dw cs4 happy
/**
* Session class using native PHP session features and hardened against session fixation.
*
* #package CodeIgniter
* #subpackage Libraries
* #category Sessions
* #author Dariusz Debowczyk, Matthew Toledo
* #link http://www.philsbury.co.uk/index.php/blog/code-igniter-sessions/
*/
class CI_Session {
var $flashdata_key = 'flash'; // prefix for "flash" variables (eg. flash:new:message)
function CI_Session()
{
$this->object =& get_instance();
log_message('debug', "Native_session Class Initialized");
$this->_sess_run();
}
/**
* Regenerates session id
*/
function regenerate_id()
{
// copy old session data, including its id
$old_session_id = session_id();
$old_session_data = $_SESSION;
// regenerate session id and store it
session_regenerate_id();
$new_session_id = session_id();
// switch to the old session and destroy its storage
session_id($old_session_id);
session_destroy();
// switch back to the new session id and send the cookie
session_id($new_session_id);
session_start();
// restore the old session data into the new session
$_SESSION = $old_session_data;
// update the session creation time
$_SESSION['regenerated'] = time();
// session_write_close() patch based on this thread
// http://www.codeigniter.com/forums/viewthread/1624/
// there is a question mark ?? as to side affects
// end the current session and store session data.
session_write_close();
}
/**
* Destroys the session and erases session storage
*/
function destroy()
{
unset($_SESSION);
if ( isset( $_COOKIE[session_name()] ) )
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
}
/**
* Alias for destroy(), makes 1.7.2 happy.
*/
function sess_destroy()
{
$this->destroy();
}
/**
* Reads given session attribute value
*/
function userdata($item)
{
if($item == 'session_id'){ //added for backward-compatibility
return session_id();
}else{
return ( ! isset($_SESSION[$item])) ? false : $_SESSION[$item];
}
}
/**
* Sets session attributes to the given values
*/
function set_userdata($newdata = array(), $newval = '')
{
if (is_string($newdata))
{
$newdata = array($newdata => $newval);
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
$_SESSION[$key] = $val;
}
}
}
/**
* Erases given session attributes
*/
function unset_userdata($newdata = array())
{
if (is_string($newdata))
{
$newdata = array($newdata => '');
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
unset($_SESSION[$key]);
}
}
}
/**
* Starts up the session system for current request
*/
function _sess_run()
{
session_start();
$session_id_ttl = $this->object->config->item('sess_expiration');
if (is_numeric($session_id_ttl))
{
if ($session_id_ttl > 0)
{
$this->session_id_ttl = $this->object->config->item('sess_expiration');
}
else
{
$this->session_id_ttl = (60*60*24*365*2);
}
}
// check if session id needs regeneration
if ( $this->_session_id_expired() )
{
// regenerate session id (session data stays the
// same, but old session storage is destroyed)
$this->regenerate_id();
}
// delete old flashdata (from last request)
$this->_flashdata_sweep();
// mark all new flashdata as old (data will be deleted before next request)
$this->_flashdata_mark();
}
/**
* Checks if session has expired
*/
function _session_id_expired()
{
if ( !isset( $_SESSION['regenerated'] ) )
{
$_SESSION['regenerated'] = time();
return false;
}
$expiry_time = time() - $this->session_id_ttl;
if ( $_SESSION['regenerated'] <= $expiry_time )
{
return true;
}
return false;
}
/**
* Sets "flash" data which will be available only in next request (then it will
* be deleted from session). You can use it to implement "Save succeeded" messages
* after redirect.
*/
function set_flashdata($newdata = array(), $newval = '')
{
if (is_string($newdata))
{
$newdata = array($newdata => $newval);
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
$flashdata_key = $this->flashdata_key.':new:'.$key;
$this->set_userdata($flashdata_key, $val);
}
}
}
/**
* Keeps existing "flash" data available to next request.
*/
function keep_flashdata($key)
{
$old_flashdata_key = $this->flashdata_key.':old:'.$key;
$value = $this->userdata($old_flashdata_key);
$new_flashdata_key = $this->flashdata_key.':new:'.$key;
$this->set_userdata($new_flashdata_key, $value);
}
/**
* Returns "flash" data for the given key.
*/
function flashdata($key)
{
$flashdata_key = $this->flashdata_key.':old:'.$key;
return $this->userdata($flashdata_key);
}
/**
* PRIVATE: Internal method - marks "flash" session attributes as 'old'
*/
function _flashdata_mark()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':new:', $name);
if (is_array($parts) && count($parts) == 2)
{
$new_name = $this->flashdata_key.':old:'.$parts[1];
$this->set_userdata($new_name, $value);
$this->unset_userdata($name);
}
}
}
/**
* PRIVATE: Internal method - removes "flash" session marked as 'old'
*/
function _flashdata_sweep()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':old:', $name);
if (is_array($parts) && count($parts) == 2 && $parts[0] == $this->flashdata_key)
{
$this->unset_userdata($name);
}
}
}
}


Maybe you not automatic load library session.
Have you try this in controller dashboard:
$this->load->library('session');
print_r($this->session->all_userdata());


I'm facing same issue and I was working with CodeIgniter version 3.1.9. I have downloaded CodeIgniter's latest version 3.1.11 and replace my current "system" directory with new the one available with 3.1.11 version.
Above process has solved my issue and it's working fine without any issues in PHP version 7.3.12 and 7.4.0.


Make sure your app has permissions to create the session files to /tmp (where file sessions are stored) if your not using a database for the sessions.
More than likely you need to look at php.ini on the production server and verify the session save handler is defined http://devzone.zend.com/413/trick-out-your-session-handler/ explains this rather well.


I saw a similar post and was directed to here to try using his sessions.php
And it works for me!
http://www.philsbury.co.uk/blog/code-igniter-sessions


In case someone get stuck using Homestead (as I was), this is a CodeIgniter bug and is not present on newer versions (I read), you can upgrade your CI version or downgrade your PHP version "per project" with Homestead 6+, as in the example:
//Homestead.yaml
- map: myproject.test
to: /home/vagrant/Code/myproject
php: "5.6"
and then simple run homestead provision.


I solved this issue by upgrading my codeigniter.
Go to Codeigniter download
Download it and replace your project system folder with newly downloaded one.


Check on the $config['base_url'] = 'http://localhost/'; if you are working on the localhost, and change it to $config['base_url'] = 'http://localhost'; without the last /


I experienced a similar problem with CI 3.1.1. I tried most of the solutions suggested on stackoverflow most did not work for me. I had two different projects project A's sessions were working while project B's session data was losing data after redirect. By comparing the two I found what could be a solution/explanation to the problem.
My initial redirect looked like this:
redirect ('name_of_function_in_same_controller');
I changed it to:
redirect ('/name_of_controller/name_of_function_in_controller');
And it started to work. I believe the trick is including the name of the controller to in the redirect. Be sure to make provision for the controller name in routes.php


Obviously, the table i created, ci_sessions, only have max 64K of data (blob), So i change into mediumblob and it works fine now


In our case the problem was related with Chrome SameSite cookies policy.
It seems that since Chrome 76 was released, cookies without "SameSite=None" and "Secure" properties are not setted by the browser after redirect.
For people that are using CodeIgniter 3.1.6 if you are redirecting to your site from a third party (for example from OAuth login page) you must add this to your config.php:
$config['cookie_path'] = '/;SameSite=None';
$config['cookie_secure'] = TRUE;
Keep in mind that this has security implication so be careful and be sure that you are choosing the best solution for your application requirements.
Related question here: How can I redirect after OAUTH2 with SameSite=Strict and still get my cookies?


Make sure you session_start() before using $_SESSION. I had this problem, I foolishly assumed that
$this->load->library('session');
will do that for me, but not.


Check in application/config/config.php
and find $config['encryption_key'] = ''; If it is empty then set the ecryption_key.
It will definitely help if after every setting session variables not working after redirection.
For more detail:
http://codeigniter.com/user_guide/libraries/encryption.html


I was facing the same issue and after a long research I found the solution.
My session is stored in db not in files but even database is also restricted to store the size, I think..
Its not any core issue of codeigniter or something that is session destroyed automatically or something else..
It is actually the load of data amount in session, if we save the more & more data inside session with Codeigniter("I am not sure about native session but for codeigniter I can confirm this"), it will destroy the session automatically.
So what you have to do is, to go to that code that you are writing to get the data from db or somewhere else and then saving into session in userdata, try to reduce the load of data saving inside the session and exclude that data which is not needed on page from session every time.
Let me know if still there is an issue..


This might be late. But felt i should drop it. Had same issue too. I m using codeigniter and wiredesignz hmvc and i noticed the error was from the htaccess. Try adding a back slash after the rewrite base url

Related

PHP 8 Session Problem with Object serialization

I am facing a very strange Session problem on PHP 8(even though it doesn't work with 7.4 also, but on 7.3 it works great).
What i do is i cerated a class where i set up the Export Object and store it on Session $_SESSION['AjaxExport'][sessionid]. Now i want to load this object stored by reference on the ifram which processes the export. When i session_start it fails to load the session at all.
AjaxExporter Class
private function ExportIntro(){
while (ob_end_clean());
// remove any old ajax exports
unset($_SESSION['AjaxExport']);
$rnd = rand(1, 99999);
$this->sessionid = uniqid($rnd, true);
$_SESSION['AjaxExport'][$this->sessionid] = &$this;
Above, loads the modal where the user gets a link to start the Export. by clicking on that link i load the Below function which loads the Object from Session and start exporting by auto-reloading to export in process like (10%-20%...)
class NG_ADMIN_AJAXEXPORTER_CONTROLLER extends NG_ADMIN_BASE {
public function Export()
{
$sessionid = '';
if (!empty($_REQUEST['exportsess']) && isset($_SESSION['AjaxExport'][$_REQUEST['exportsess']])) {
$sessionid = $_REQUEST['exportsess'];
}
else {
return;
}
$exporter = &$_SESSION['AjaxExport'][$sessionid];
$exporter->sessionid = $sessionid;
$exporter->HandleToDo($_REQUEST['action']);
}
}
When the process tries to start, i get no session at all.
session_start(): Failed to decode session object. Session has been destroyed in...
Also tried to implement Seriazable on both classes but that not seam to work either because, even though the object is stored, there are no values in its properties so it's useless (even though i used reference &).
As i mentioned above, this code works just fine in php 7.3, the problems started since 7.4 and php 8

So, finally figured this out.
As a friend told me that if a class has static properties serialization may not work and i was loading Twig v3 on parent class, so i destroyed all the properties that may contained the "template" property from Twig and it worked.
Generally, cleaned my object to only contain the necessary sub-objects that needed to complete my exports.

Session getting lost on regenerating session id in codeigniter

I have a codeigniter application where the session is set when a user logs in and is shown the user dashboard with somewhat like the code below:
public function checkLogin()
{
$username = $this->input->post("username");
$password = $this->input->post("password");
$userId = $this->ModelLogin->checkLogin($username, $password);
if ($userId) {
$session_data = array(
'is_logged_in' => true,
'userId' => $userId,
);
$this->session->set_userdata($session_data);
redirect("/user/dashboard");
} else {
$this->session->set_flashdata('login_error', "Incorrect username/password");
}
}
Now I am to fix a Session Fixation issue by regenerating the Session ID before authenticating the user. When I include the session_regenerate_id() or even the codeigniter specific $this->session->sess_regenerate() function, it works within this function but as soon as it is redirected to the /user/dashboard the session data gets blank.
I am adding the regenerate line just before the $this->session->set_userdata($session_data);. The above code works perfectly without the regenerate.
Additionally, I am using the database session driver. When I switch to the files driver, even the regenerate logic works perfectly. It's just something with the database driver (I feel) is causing this issue.

I fixed this after days of trial and error.
This was present in Codeigniter 3.0.x that too on PHP 7.x (which was what my application was running on)
After extensive search, I stumbled upon a Codeigniter changelog that mentioned a regression bug fix in some later versions (3.0.x) of Codeigniter and that's when I started scanning through the changes in the Codeigniter session library and the database driver where I found this snippet:
// PHP7 will reuse the same SessionHandler object after
// ID regeneration, so we need to explicitly set this to
// FALSE instead of relying on the default ...
$this->_row_exists = FALSE;
Just when I brought this only line change into my existing codeigniter system, the problem was solved instantly!

Mediawiki SessionProvider $_SESSION variable is empty

I'm trying to implement a SessionProvider auth plugin for a mediawiki install.
I'm trying to integrate with an existing auth system that uses $_SESSION to indicate that a user is logged in, however any method I try, the resulting $_SESSION variable that I get inside the class' provideSessionInfo function is empty.
Previously this was done with a onUserLoadFromSession hook (that contained the bulk of the logic code below), but the update appears to have broken actually looking at the existing $_SESSION:
public function provideSessionInfo(WebRequest $request)
{
// $_SESSION is hidden away per-request, but $request->getSession likes to call this function (yay infinite loops)
if (!isset($_SESSION['memberid'])) {
return null;
}
$memberid = $_SESSION['memberid'];
$mr_user = MyRadio_User::getInstance($memberid);
$user = User::newFromName($memberid);
$dbr = wfGetDB(DB_REPLICA);
$s = $dbr->selectRow('user', ['user_id'], ['user_name' => $memberid]);
if ($s === false) {
return null;
} else {
$user->mName = $memberid;
$user->mId = $user->idForName();
$user->loadFromDatabase();
$user->saveSettings();
}
if ($mr_user->hasAuth(AUTH_WIKIADMIN) && !in_array('sysop', $user->getGroups())) {
$user->addGroup('sysop');
}
$user->mTouched = wfTimestampnow();
return new SessionInfo(SessionInfo::MAX_PRIORITY, [
'provider' => $this,
'persisted' => true,
'userInfo' => UserInfo::newFromUser($user, true),
]);
}
If I hardcode $memberid, the function and the session provider works fine, but I just can't seem to find a way to transfer the session from one PHP "application" to another.
Adding debugging shows the PHPSESSID variable still set in the cookie, but for whatever reason it can't be pulled out into an actual session object. I've tried various session_start() style methods to no effect.
I feel like I'm missing something obvious, but the documentation for this stuff is just a basic wiki page and the raw generated doxygen.

Session handling is not a good way of cross-application communication. MediaWiki uses its own session handling, which means there is no connection between $_SESSION in MediaWiki and $_SESSION in your application at all. The first will be populated from MediaWiki's object cache (as configured by $wgSessionCacheType), the other from PHP session files or whatever.
If you really do not have a better way to pass data, you'll have to write a custom access class which can be called by your provider, which will save the current session handler, install a null session handler (which restores PHP's native session handling which will hopefully be interoperable with the other application), start the session, fetch the session data, restore the original session handler, and probably start the session again.

XCache lost value after some time

I'm a newbie with XCache and I'm trying to use this feature for have an editable configuration over the air in my application.
So I need to store some data, for doing this I did:
class Settings
{
private $_config = array();
function __construct()
{
$file = 'config.php'; //return $config content
require_once $file;
$this->_config = $config;
foreach($config as $item => $value)
{
if(!xcache_isset($item))
{
xcache_set($item, $value);
}
}
}
}
Unfortunately today the official site seems down, so I can't follow the documentation to check if I did something wrong.
I've created also two method:
public static function setItem($name, $value)
{
xcache_set($name, $value);
}
public static function getItem($name)
{
return xcache_get($name);
}
now getItem after 15/20 minute can't get the key value. Why?
UPDATE
Okay, the problem it's when an header('Location..) is called. Infact if I do a redirection I lost the value stored in cache, anyone know why?

As the name implies, XCache is a cache, not a database. Values that you store in the cache may be purged without warning if space is needed for other data, and will be lost entirely when the web server is restarted. It's not an appropriate place to store configuration information.
I can't say for certain why you're seeing values become unavailable after a redirect, though. That shouldn't happen.

Disabling the Codeigniter’s cache for logged in users

I'm using codeigniter cache on my personal CMS. The problem is, i don't want to show cached pages if the user it's logged on administration.
Saw this tutorial on google:
http://www.badpenguin.org/codeigniter-cache-disable
class MY_Output extends CI_Output {
function _display_cache(&$CFG, &$URI)
{
/* Simple Test for Ip Address */
if ($_SERVER['REMOTE_ADDR'] == NOCACHE_IP )
{
return FALSE;
}
/* Simple Test for a cookie value */
if ( (isset($_COOKIE['nocache'])) && ( $_COOKIE['nocache'] > 0 ) )
{
return FALSE;
}
/* Call the parent function */
return parent::_display_cache($CFG,$URI);
}
}
The problem it's that the session it's on database (ci_sessions), and i can't access it inside MY_Output.
using:
$CI =& get_instance();
$CI->session->userdata('userID')
give me:
Class 'CI_Controller' not found in
As output runs before controller, and session Needs CIcontroller, the only Thing i can think of its disable session storage on database and the encription, and i don't want do that rs.
Someone can give me some light on this? i still can't find the solution to this!
Thanks!

Try this:
#$SESS = & load_class('Session', 'libraries/Session');
The # is there to prevent it from whining about "session already started". Do note: this is for CI3. The code for the original Output class states (lines 407-409):
// Note: We use load_class() because we can't use $CI =& get_instance()
// since this function is sometimes called by the caching mechanism,
// which happens before the CI super object is available.

Categories