As above: Is it possible to regenerate Code Igniter sessions manually? I'm looking for something similar to session_regenerate_id in PHP sessions, so that I could call it manually when a user went through privilege escalation.
Thanks,
Lemiant
CI automatically regenerates the session id every x seconds, which you can set in your config.
You could create a new function in Session.php the same as sess_update() but with the following removed from the top & the function renamed to regenerate_id().
// We only update the session every five minutes by default
if (($this->userdata['last_activity']+$this->sess_time_to_update) >= $this->now)
{
return;
}
This will regenerate the session id, update users_activity and keep the users data. Just call it by $this->session->regenerate_id();
I know this is an old post, but I came across it, so others might too.
You could also do the following so you don't have to hack the core files at all (making codeigniter more easily upgradable with future releases):
//Setting this to 0 forces the sess_update method to regenerate on the next call
$this->session->sess_time_to_update=0;
//Call the sess_update method to actually regenerate the session ID
$this->session->sess_update();
Credit to the original answer for leading me down this path though, thank you.
Related
I am using "file storage" for my session. When I run this:
Session::set('awesomekey', 'myVal123');
And refresh the page, I can see new files being created in /storage/session each time. I assumed it would update the same file each time. This basically means sessions don't work at all. In other words, if it keeps recreating a session file, this never works:
Session::get('awesomekey');
Or at least, it returns a blank. What am I missing that could possibly be causing a new session key to be created each time a page is loaded?
UPDATE
On further investigation, it seems the cookie is regenerated on each page load. What could be causing that?
I am not even looking at logging in yet, so this information is useless to me --> http://willworkforbanjos.com/2014/02/laravel-sessions-not-working-in-4-1/
My problem is happening when I simply put the above set and get code in the master.blade.php file. It should set it, store the info, and on the next reload get the right information from session. But it can't because on reload it changed the cookie to some other code.
Anyone know why this is happening?
UPDATE 2
Adding: 'lifetime' => 120 to session.php did not work. (#Sheikh Heera)
Placing the code in the controller only, does not work. (#Phill Sparks)
I tried chrome and firefox, same result (#The Shift Exchange)
Just to be clear on what I'm trying to do. I add the following code in HomeController.php:
public function index()
{
Session::put('awesomekey', 'myVal123');
return View::make('home.index');
}
Then I put this in my master.blade.php:
print Session::get('awesomekey');
I do not include any "dies" or random echos in my controller side of the code, except for this. When I open the file the first time, I can see myVal123 being printed out.
I then take out this part in the controller:
Session::put('awesomekey', 'myVal123');
And reload the page. It now prints nothing. I can see in my browser that the cookie has changed. Generating a new cookie will lose the reference to the session, so I'm stuck trying to understand why it's doing that each time, even though it saves the session on the first load.
Any more ideas?
UPDATE 3
I also tried:
Running "php artisan dump-autoload" ... still doesn't work
I went here: http://www.whatismybrowser.com/are-cookies-enabled ... and yes, cookies are enabled.
I'm really running out of ideas here...
UPDATE 4
I went to SessionManager.php and just underneath this:
$lifetime = $this->app['config']['session.lifetime'];
I printed out the value of life time:
print $lifetime; die();
And this code was never hit on page reload?! However, adding this in my controller:
$d = Config::get('session.lifetime');
print $d;
Does in fact print out my value for lifetime.... :(
The problem was this line:
'cookie' => 'xxxx.com',
in session.php. Apparently it loses the cookie if you have a "." in the cookie name. I can't believe Laravel doesn't like that. Or maybe it's browser's in general.
I believe you are using:
'lifetime' => 0 // number of minutes
in your app/config/session.php file. Make it something like this:
'lifetime' => 120 // number of minutes or whatever you want
It'll work. I tried same settings as you described and just used 0 and I get same result, each time a new file is being created but once I change it to 120 or so, it works. So, it make sense that, if it's set to 'lifetime' => 0 in the session config then every time it just creates a new file for a new session because the session doesn't live. So, go to your app/config/session.php file and you'll find something like this, change the value:
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
Update:
You may use following code to get the lifetime value set in the app/config/session.php file:
Config::get('session.lifetime');
Have a look at the cookie's expire time in Chrome developer tools, or Firebug. If it is set to 0 then the cookie will expire immediately.
Also, double-check if your clock is setup correctly - strange things could happen if there's a disparity between your host's and the browser's clock. Make both systems consult NTP to ensure this is not an issue.
I had a similar problem with the sessions, if you're using the model User and your users table doesn't have the primaryKey as Id, you must overwrite that variable at the model.
class User extends Eloquent {
protected $primaryKey = 'admin_id';
}
In /app/config/session.php check the "HTTPS Only Cookie" setting.
Make sure it's "secure => false" if you are not using SSL!
I've experienced issues related to this. The session file wasn't created every time but sometimes I just can't get the session variable displayed. After hours of experiments I found that the problem was related to Debugbar.
If you're using Debugbar and having session issues, disable it and try again to confirm.
Use Session::put('value') instead of set.
http://laravel.com/docs/session#session-usage
$session = JFactory::getSession();
$session->set('domain_name', $domain_name, 'dominiForm');
then the table jos_session contains ...__dominiForm|a:2:{s:11:"domain_name";s:16:"safafasfsadfsfds";s:15:"tld_da_comprare";a:1:{i:0;s:3:".com";}}
I have checked that session life is 45mins in joomla control panel.
However without using set() or clear() it randomly(i think after a few minutes of pause) when i click "next" i end up with the database containing only this ...__dominiForm|a:0:{}
This happends both with 1.5 and 2.5.
I believe your problem exists with parts of the code that you haven't shown. It sounds like the $session->set() is getting called during a point when you aren't expecting it to be called, and it is empty at that point so it is overwriting the stored value with an empty value. Post more of your code and I may be able to point out where the issue is.
I usually end up adding session_start() to the top of every page on my PHP sites (or in a header file which is in turn included on every page). I recently discovered that you can have sessions start automatically by using the following setting in php.ini:
session.auto_start = 1
What are the potential downsides (if any) of using this setting?
If you turn on session.auto_start then the only way to put objects
into your sessions is to load its class definition using
auto_prepend_file in which you load the class definition else you will
have to serialize() your object and unserialize() it afterwards. See.
Maybe this helps. It will create a session if there is no session created on page load.
if(!isset($_SESSION)): session_start();endif;
If you want to start a specific session, then use something like this:
if(!isset($_SESSION['your_session'])){
$data = array('default data');
$_SESSION['your_session']=$data;
}
In the joomla users admin when a users data is loaded, where is the function to call the users data
administrator/components/com_users/models/user.php
$result = parent::getItem($pk);
This is the code that returns the data, but I need to find where this function is? I want to amend the query as I've added some form fields, but I need to know which parent, as there are many getItem functions in Joomla
Thanks in advance
Joomla 1.7 provides a mechanism ( http://docs.joomla.org/Creating_a_profile_plugin ) for adding extra fields through user plugins. This is a far more robust method than editing core files - for one thing edits to core files risk being overwritten as soon as you update and as updating is a simple push button affair it is likely to be sooner rather than later.
found it libraries/joomla/application/component/modeladmin.php
I'm using the latest version of Codeigniter and tank_auth 1.0.9 on a site I'm building.
When using set_flashdata() and flashdata() respectivly, nothing is being returned on redirect but if I set sess_use_database to FALSE in the config it works.
I've searched around and couldn't find an answer -- Has anyone else run into this issue and fixed it?
I was having the same issue and figured out the problem. If you're storing sessions in the database, it will not work.
Tank Auth runs this code from the main library ( $this->tank_auth->logout() ):
$this->delete_autologin();
// See http://codeigniter.com/forums/viewreply/662369/ as the reason for the next line
$this->ci->session->set_userdata(array('user_id' => '', 'username' => '', 'status' => ''));
$this->ci->session->sess_destroy();
Then it runs this code from the auth controller ( $this->_show_message() ):
$this->session->set_flashdata('message', $message);
redirect('/auth/');
The problem is that since sess_destroy() was run prior to setting the flashdata, there is no database row to add the flashdata to, so the flashdata never gets set.
At this point there are a few solutions:
Option 1:
Add $this->ci->session->sess_create(); immediately after $this->ci->session->sess_destroy(); in function logout() in application/libraries/Tank_auth.php
This works because you are creating a new blank session where flashdata can be stored. A potential con for this is that you are performing more operations on the database (delete+insert).
Option 2:
Comment out/delete $this->ci->session->sess_destroy(); in function logout() in application/libraries/Tank_auth.php
This works because the session is not destroyed, allowing CI to perform only an update query to add flashdata. This is probably better than option 1 unless you absolutely need to destroy the session.
Option 3:
Set $config['sess_use_database'] to FALSE.
This works because a session is automatically created when it is requested again, as opposed to how it works when you store sessions in the database. Potentially less secure.
In the end, it is up to you to decide which option is best for your application.
if tank_auth does any internal redirects then you may lose the flash data on that redirect request.
Exactly.
CodeIgniter documentation specifies here:
http://codeigniter.com/user_guide/libraries/sessions.html
=============================
Destroying a Session
To clear the current session:
$this->session->sess_destroy();
Note: This function should be the last one called,
and **even flash variables will no longer be available**.
If you only want some items destroyed and not all, use unset_userdata().
=============================
I've digged into the system/libraries/Session.php file and saving flashdata triggers the sess_write() method which only UPDATES the database as you said.
To me a better fix is checking to make sure the session exist before setting the flashdata in show_message().
function _show_message($message)
{
// Patch for show_message() after logout(). Make sure the session exist before set_flashdata().
if(!$this->session->sess_read())
{
$this->session->sess_create();
}
$this->session->set_flashdata('message', $message);
redirect('/auth/');
}