I enabled to store session data in the database and on every page refresh a new record gets inserted and ends up filling the session table with many rows. How can i just set it to insert a record only if no entry exists for its ip and update an existing ip?
Sessions have a timeout which you can set in the config.php file (i.e $config['sess_expiration'] = 7200 ). Once that time has reached, they expire and are deleted (through the session garbage collection mechanism).
. How can i just set it to insert a record only if no entry exists for its ip
It dosent create a new session record for each update, it simply adds/remove data from the existing session record for the given IP and user agent if the option is selected (unless the session has expired in which case it creates a new record). Codeigniter has a builtin garbage collection mechanism which will eventually (if not instantly) delete the expired session.
and update an existing ip?
Why would it update an existing ip and override its session data? that makes no sense. You could end up overwriting session data of a user who is currently using the session. If a user has stopped using the system, the session will evnetually expire and be deleted.
According to codeigniter session class page:
When a page is loaded, the session class will check to see if valid
session data exists in the user's session cookie. If sessions data
does not exist (or if it has expired) a new session will be created
and saved in the cookie. If a session does exist, its information will
be updated and the cookie will be updated. With each update, the
session_id will be regenerated.
Related
While migrating to spring 6 and spring boot 3, we have two problems:
The session attributes are not stored in the database anymore
The session is not invalidated correctly on logoff.
In Spring 5 we have a persistent session (session.store-type: jdbc). When we create a session on successful login with getSession(true) and store the corresponding username, it is saved to the database.
In spring_session we find one entry
In spring_session_attributes we find an entry for the stored attribute a one for the SPRING_SECURITY_CONTEXT.
The request returns with a cookie and the browser uses this cookie for the next request.
When we invalidate the session, all content is removed from the database and the request returns an empty cookie so that the cookie is also cleared in the browser.
This behavior is absolutely correct.
In Spring 6 however the behavior is different.
If we use http.securityContext { ctx -> ctx.requireExplicitSave(false) } in our configuration, the session is stored in the DB but we only see the SPRING_SECURITY_CONTEXT attribute and not our username attribute.
When we invalidate the session, it is not removed from the database, the browser’s cookie is not cleared and the session is still valid.
If we use http.securityContext { ctx -> ctx.requireExplicitSave(true) } all session attributes are stored and the persistent session is removed on logoff. However, if we have multiple requests at the same time, we see these errors in the log file:
ERROR: duplicate key value violates unique constraint "pk_spring_session_attributes"
Detail: Key (session_primary_id, attribute_name)=(bc7114b1-3149-4c7b-8c23-b1023f51a8b9, SPRING_SECURITY_CONTEXT) already exists.
These requests fail with http status 500.
We have found this documentation about changed in session handling (https://docs.spring.io/spring-security/reference/migration/servlet/session-management.html) but it does not apply. We do not change the security context. We just use it to set the authentication-Property.
We tried saving the context, but it didn't solve the problem – specially not the problem with the duplicate keys.
What are we missing?
Are there more changed to spring-session-jdbc that we’ve overlooked?
In my MVC Core application I'm using sessions to track logins. This works great, but is an issue when my web application goes idle/restarts, as the sessions clears and all users gets logged out. I've modified my application to store the session data in a database caching-table, through calling and setting services.AddDistributedSqlServerCache(options) & services.AddSession(options) in the Startup ConfigureServices method, as well as calling app.UseSession() in the Configure method.
I seem to have done everything correctly; when a new client for the first time sets a session value it's saved in the caching-table, and when Sesion.Get is called the session ExpiresAtTime table-value updates.
So, considering that the session data is saved to the table, why is it not being grabbed on restarts? It isn't a cookie issue, the cookie expiration value is set to 10 years, and the session idle timeout value is set to 2 weeks. It seems like the Session data is just being handled through IIS memory, yet is being saved to my caching db-table, which I find very weird.
I am using DB table to store session. Whenever I access any page in website, expire value in session table is getting updated.
I store a value in the session using the following api:
Yii::$app->session->set("key", $value);
After I use this command, session expire is not updating in database.
Another problem is that the stored value in session is only accessible during the same request.
Next request that value is not there in the session.
I google'd and tried all my luck but not able to figure why this is happening.
Thanks in advance
I'm new in PHP and Codeigniter, by the way how to update database table when session in CI is expired and where I can put the code? I use uniqid in database, it's called token. here is my login tableusername, password, level, token, last_login, exp_time. and I want to change value token=null when session in Codeigniter is expired.
I think you're approaching this the wrong way. Sessions can expire passively, so your user DB would not be up to date.
You could use Codeigniter's option to store session data in your MySQL database and check against those entries.
For example, if a user just closes the browser window without logging out (the PHP script unsetting and destroying the session and expiring the session cookie), by default the cookie used to store the session ID will have expired the next time the user opens the browser so s/he won't have access to the same session.
But what happens with the file on the server side that was used to save the session data and what happens with the session data itself?
Will it still be available?
There are parameters called session.gc_divisor and session.gc_probability that you can configure in php.ini or in the .htaccess.
These parameters give the probability (gc_probabiltiy/gc_divisor) to execute the garbage collection of the sessions at every request.
The garbage collection is a process whick check if the last modification of the session file is older than session.gc_maxlifetime and remove it if it is !
So yes, the data are still available for a while on your server.