bcit-ci / CodeIgniter

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
18.27k stars 7.6k forks source link

Session Lost for CI 3.1.13 on Page Refresh #6248

Open mertdogan opened 11 months ago

mertdogan commented 11 months ago

Discussed in https://github.com/bcit-ci/CodeIgniter/discussions/6247

Originally posted by **mertdogan** November 14, 2023 Hi. I started a new CI project with CI 3.1.13. When i refresh page everything on session lost (still on database table) and new session created. I replaced my new system/library/session folder with CI 3.1.11 (ini_set('session.id', $params['cookie_name']); tricked) and everything works without problem and session not lost. my simple code at controller is: ``` public function test(){ $this->load->library('session'); var_dump(isset($_SESSION['x'])?$_SESSION['x']:null); $_SESSION['x']='123'; var_dump($_SESSION['x']); } ``` when i refresh page for CI3.1.13 than NULL 123 occurs but when i load with CI3.1.11 123 123 occurs on second page load. I test everything on stackoverflow but can't solve problem.

my php version is 7.1.19 on IIS and using database driver for session. This is my config setting:

$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ODEME_PORTAL_COOKIE';
$config['sess_samesite'] = 'None';
$config['sess_expiration'] = 0;
$config['sess_save_path'] = 'CI_SESSIONS';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix'   = Set a cookie name prefix if you need to avoid collisions
| 'cookie_domain'   = Set to .your-domain.com for site-wide cookies
| 'cookie_path'     = Typically will be a forward slash
| 'cookie_secure'   = Cookie will only be set if a secure HTTPS connection exists.
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
| 'cookie_samesite' = Cookie's samesite attribute (Lax, Strict or None)
|
| Note: These settings (with the exception of 'cookie_prefix' and
|       'cookie_httponly') will also affect sessions.
|
*/
$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']      = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']  = FALSE;
$config['cookie_samesite']  = 'None';
plufz commented 8 months ago

I had a similiar (maybe same) issue with the session cookies not being set, being samesite none and secure none on a localhost with self-signed ssl cert. Even on localhost the browsers did not like that. Chrome did not set the cookie at all and Safari made it samesite lax. Now it works when I use mkcert in my docker dev environment and on my mac host, so I have a valid cert everywhere. And cookie secure set to true.

bunglegrind commented 8 months ago

I don't think it's an issue, I couldn't replicate it (see the aforementioned discussion).

plufz commented 8 months ago

I don't think it's an issue, I couldn't replicate it (see the aforementioned discussion).

No, not an CI issue. It is just a matter of many browsers not accepting cookies with samesite none combined with non-secure (http or https self-signed cert). A configuration issue.

privatecore commented 7 months ago

@mertdogan check your log files -> you should have errors with this configuration: https://github.com/bcit-ci/CodeIgniter/blob/3.1-stable/system/libraries/Session/Session.php#L183

also, take a look at this article: https://web.dev/articles/samesite-cookies-explained#samesitenone_must_be_secure

in short: a session with SameSite=None without the Secure parameter will not be saved in the browser's cookie jar, so your session will be new with every page refresh