search

benedmunds / CodeIgniter-Ion-Auth

Simple and Lightweight Auth System for CodeIgniter
http://benedmunds.com/ion_auth/
MIT License
2.35k stars 1.14k forks source link

cannot access session userdata #633

Closed anneachey closed 9 years ago

anneachey commented 9 years ago

I logged into the application using the default admin@admin.com, password credentials. The session is set in the sessions table.

class Login extends CI_Controller { public function confirm_account($id) { if (!$this->ion_auth->logged_in()) { redirect('login', 'refresh'); } $user = $this->ion_auth->current()->user(); $session_id = $this->session->userdata('user_id'); } }

I am not able to access the session in the manner specified above. Above all I am not even detected as logged in and thus get logged out always. Do I not have direct access of session? Or if I do, what am I doing wrong here?

benedmunds commented 9 years ago

Please post both your CI config and your Ion Auth config.

anneachey commented 9 years ago

Ion auth

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); /**

/* ------------------------------------------------------------------------- Tables.
Database table names.

*/ $config['tables']['users'] = 'users'; $config['tables']['groups'] = 'groups'; $config['tables']['users_groups'] = 'users_groups'; $config['tables']['login_attempts'] = 'login_attempts';

/* Users table column and Group table column you want to join WITH.
Joins from users.id
Joins from groups.id

*/ $config['join']['users'] = 'user_id'; $config['join']['groups'] = 'group_id';

/* ------------------------------------------------------------------------- Hash Method (sha1 or bcrypt)
Bcrypt is available in PHP 5.3+
IMPORTANT: Based on the recommendation by many professionals, it is highly recommended to use
bcrypt instead of sha1.
NOTE: If you use bcrypt you will need to increase your password column character limit to (80)
Below there is "default_rounds" setting. This defines how strong the encryption will be,
but remember the more rounds you set the longer it will take to hash (CPU usage) So adjust
this based on your server hardware.
If you are using Bcrypt the Admin password field also needs to be changed in order login as admin:
$2a$07$SeBknntpZror9uyftVopmu61qg0ms8Qv1yV6FG.kQOSM.9QhmTo36
Be careful how high you set max_rounds, I would do your own testing on how long it takes
to encrypt with x rounds.
salt_prefix: Used for bcrypt. Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix
Versions 5.3.7 or greater should use the default of "$2y$".

*/ $config['hash_method'] = 'bcrypt'; // sha1 or bcrypt, bcrypt is STRONGLY recommended $config['default_rounds'] = 8; // This does not apply if random_rounds is set to true $config['random_rounds'] = FALSE; $config['min_rounds'] = 5; $config['max_rounds'] = 9; $config['salt_prefix'] = '$2y$';

/* ------------------------------------------------------------------------- Authentication options.
maximum_login_attempts: This maximum is not enforced by the library, but is
used by $this->ion_auth->is_max_login_attempts_exceeded().
The controller should check this function and act
appropriately. If this variable set to 0, there is no maximum.

*/ $config['site_title'] = "Example.com"; // Site Title, example.com $config['admin_email'] = "admin@example.com"; // Admin Email, admin@example.com $config['default_group'] = 'members'; // Default group, use name $config['admin_group'] = 'admin'; // Default administrators group, use name $config['identity'] = 'email'; // A database column which is used to login with $config['min_password_length'] = 8; // Minimum Required Length of Password $config['max_password_length'] = 20; // Maximum Allowed Length of Password $config['email_activation'] = FALSE; // Email Activation for registration $config['manual_activation'] = FALSE; // Manual Activation for registration $config['remember_users'] = TRUE; // Allow users to be remembered and enable auto-login $config['user_expire'] = 86500; // How long to remember the user (seconds). Set to zero for no expiration $config['user_extend_on_login'] = FALSE; // Extend the users cookies every time they auto-login $config['track_login_attempts'] = FALSE; // Track the number of failed login attempts for each user or ip. $config['track_login_ip_address'] = TRUE; // Track login attempts by IP Address, if FALSE will track based on identity. (Default: TRUE) $config['maximum_login_attempts'] = 3; // The maximum number of failed login attempts. $config['lockout_time'] = 600; // The number of seconds to lockout an account due to exceeded attempts $config['forgot_password_expiration'] = 0; // The number of milliseconds after which a forgot password request will expire. If set to 0, forgot password requests will not expire.

/* ------------------------------------------------------------------------- Cookie options.
remember_cookie_name Default: remember_code
identity_cookie_name Default: identity

*/ $config['remember_cookie_name'] = 'remember_code'; $config['identity_cookie_name'] = 'identity';

/* ------------------------------------------------------------------------- Email options.
email_config:
'file' = Use the default CI config or use from a config file
array = Manually set your email config settings

*/ $config['use_ci_email'] = FALSE; // Send Email using the builtin CI email class, if false it will return the code and the identity $config['email_config'] = array( 'mailtype' => 'html', );

/* ------------------------------------------------------------------------- Email templates.
Folder where email templates are stored.
Default: auth/

*/ $config['email_templates'] = 'auth/email/';

/* ------------------------------------------------------------------------- Activate Account Email Template
Default: activate.tpl.php

*/ $config['email_activate'] = 'activate.tpl.php';

/* ------------------------------------------------------------------------- Forgot Password Email Template
Default: forgot_password.tpl.php

*/ $config['email_forgot_password'] = 'forgot_password.tpl.php';

/* ------------------------------------------------------------------------- Forgot Password Complete Email Template
Default: new_password.tpl.php

*/ $config['email_forgot_password_complete'] = 'new_password.tpl.php';

/* ------------------------------------------------------------------------- Salt options
salt_length Default: 22
store_salt: Should the salt be stored in the database?
This will change your password encryption algorithm,
default password, 'password', changes to
fbaa5e216d163a02ae630ab1a43372635dd374c0 with default salt.

*/ $config['salt_length'] = 22; $config['store_salt'] = FALSE;

/* ------------------------------------------------------------------------- Message Delimiters.

*/ $config['delimiters_source'] = 'config'; // "config" = use the settings defined here, "form_validation" = use the settings defined in CI's form validation library $config['message_start_delimiter'] = '

'; // Message start delimiter $config['message_end_delimiter'] = '

'; // Message end delimiter $config['error_start_delimiter'] = '

'; // Error mesage start delimiter $config['error_end_delimiter'] = '

'; // Error mesage end delimiter

/* End of file ionauth.php / /_ Location: ./application/config/ion_auth.php */

anneachey commented 9 years ago

config

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

/* -------------------------------------------------------------------------- Base Site URL
URL to your CodeIgniter root. Typically this will be your base URL,
WITH a trailing slash:
http://example.com/
If this is not set then CodeIgniter will guess the protocol, domain and
path to your installation.

*/ $config['base_url'] = 'http://local.dev/index.php';

/* -------------------------------------------------------------------------- Index File
Typically this will be your index.php file, unless you've renamed it to
something else. If you are using mod_rewrite to remove the page set this
variable so that it is blank.

*/ $config['index_page'] = ' ';

/* -------------------------------------------------------------------------- URI PROTOCOL
This item determines which server global should be used to retrieve the
URI string. The default setting of 'AUTO' works for most servers.
If your links do not seem to work, try one of the other delicious flavors:
'AUTO' Default - auto detects
'PATH_INFO' Uses the PATH_INFO
'QUERY_STRING' Uses the QUERY_STRING
'REQUEST_URI' Uses the REQUEST_URI
'ORIG_PATH_INFO' Uses the ORIG_PATH_INFO

*/ $config['uri_protocol'] = 'AUTO';

/* -------------------------------------------------------------------------- URL suffix
This option allows you to add a suffix to all URLs generated by CodeIgniter.
For more information please see the user guide:
http://codeigniter.com/user_guide/general/urls.html

*/

$config['url_suffix'] = '';

/* -------------------------------------------------------------------------- Default Language
This determines which set of language files should be used. Make sure
there is an available translation if you intend to use something other
than english.

*/ $config['language'] = 'english';

/* -------------------------------------------------------------------------- Default Character Set
This determines which character set is used by default in various methods
that require a character set to be provided.

*/ $config['charset'] = 'UTF-8';

/* -------------------------------------------------------------------------- Enable/Disable System Hooks
If you would like to use the 'hooks' feature you must enable it by
setting this variable to TRUE (boolean). See the user guide for details.

*/ $config['enable_hooks'] = FALSE;

/* -------------------------------------------------------------------------- Class Extension Prefix
This item allows you to set the filename/classname prefix when extending
native libraries. For more information please see the user guide:
http://codeigniter.com/user_guide/general/core_classes.html
http://codeigniter.com/user_guide/general/creating_libraries.html

*/ $config['subclassprefix'] = 'MY';

/* -------------------------------------------------------------------------- Allowed URL Characters
This lets you specify with a regular expression which characters are permitted
within your URLs. When someone tries to submit a URL with disallowed
characters they will get a warning message.
As a security measure you are STRONGLY encouraged to restrict URLs to
as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
Leave blank to allow all characters -- but only if you are insane.
DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!

*/ $config['permitted_urichars'] = 'a-z 0-9~%.:-';

/* -------------------------------------------------------------------------- Enable Query Strings
By default CodeIgniter uses search-engine friendly segment based URLs:
example.com/who/what/where/
By default CodeIgniter enables access to the $_GET array. If for some
reason you would like to disable it, set 'allow_get_array' to FALSE.
You can optionally enable standard query string based URLs:
example.com?who=me&what=something&where=here
Options are: TRUE or FALSE (boolean)
The other items let you set the query string 'words' that will
invoke your controllers and its functions:
example.com/index.php?c=controller&m=function
Please note that some of the helpers won't work as expected when
this feature is enabled, since CodeIgniter is designed primarily to
use segment based URLs.

*/ $config['allow_get_array'] = TRUE; $config['enable_query_strings'] = FALSE; $config['controller_trigger'] = 'c'; $config['function_trigger'] = 'm'; $config['directory_trigger'] = 'd'; // experimental not currently in use

/* -------------------------------------------------------------------------- Error Logging Threshold
If you have enabled error logging, you can set an error threshold to
determine what gets logged. Threshold options are:
You can enable error logging by setting a threshold over zero. The
threshold determines what gets logged. Threshold options are:
0 = Disables logging, Error logging TURNED OFF
1 = Error Messages (including PHP errors)
2 = Debug Messages
3 = Informational Messages
4 = All Messages
For a live site you'll usually only enable Errors (1) to be logged otherwise
your log files will fill up very fast.

*/ $config['log_threshold'] = 0;

/* -------------------------------------------------------------------------- Error Logging Directory Path
Leave this BLANK unless you would like to set something other than the default
application/logs/ folder. Use a full server path with trailing slash.

*/ $config['log_path'] = '';

/* -------------------------------------------------------------------------- Date Format for Logs
Each item that is logged has an associated date. You can use PHP date
codes to set your own date formatting

*/ $config['log_date_format'] = 'Y-m-d H:i:s';

/* -------------------------------------------------------------------------- Cache Directory Path
Leave this BLANK unless you would like to set something other than the default
system/cache/ folder. Use a full server path with trailing slash.

*/ $config['cache_path'] = '';

/* -------------------------------------------------------------------------- Encryption Key
If you use the Encryption class or the Session class you
MUST set an encryption key. See the user guide for info.

*/ $config['encryption_key'] = 'loa1BO639RHCfZ9dI7J8kno1Qb13dW1D';

/* -------------------------------------------------------------------------- Session Variables
'sess_cookie_name' = the name you want for the cookie
'sess_expiration' = the number of SECONDS you want the session to last.
by default sessions last 7200 seconds (two hours). Set to zero for no expiration.
'sess_expire_on_close' = Whether to cause the session to expire automatically
when the browser window is closed
'sess_encrypt_cookie' = Whether to encrypt the cookie
'sess_use_database' = Whether to save the session data to a database
'sess_table_name' = The name of the session database table
'sess_match_ip' = Whether to match the user's IP address when reading the session data
'sess_match_useragent' = Whether to match the User Agent when reading the session data
'sess_time_to_update' = how many seconds between CI refreshing Session Information

*/ $config['sess_cookie_name'] = 'ubi'; $config['sess_expiration'] = 7200; $config['sess_expire_on_close'] = FALSE; $config['sess_encrypt_cookie'] = FALSE; $config['sess_use_database'] = TRUE; $config['sess_table_name'] = 'sessions'; $config['sess_match_ip'] = FALSE; $config['sess_match_useragent'] = TRUE; $config['sess_time_to_update'] = 300;

/* -------------------------------------------------------------------------- Cookie Related Variables
'cookie_prefix' = Set a prefix if you need to avoid collisions
'cookie_domain' = Set to .your-domain.com for site-wide cookies
'cookie_path' = Typically will be a forward slash
'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.

*/ $config['cookie_prefix'] = ""; $config['cookie_domain'] = ""; $config['cookie_path'] = "/"; $config['cookie_secure'] = FALSE;

/* -------------------------------------------------------------------------- Global XSS Filtering
Determines whether the XSS filter is always active when GET, POST or
COOKIE data is encountered

*/ $config['global_xss_filtering'] = FALSE;

/* -------------------------------------------------------------------------- Cross Site Request Forgery
Enables a CSRF cookie token to be set. When set to TRUE, token will be
checked on a submitted form. If you are accepting user data, it is strongly
recommended CSRF protection be enabled.
'csrf_token_name' = The token name
'csrf_cookie_name' = The cookie name
'csrf_expire' = The number in seconds the token should expire.

*/ $config['csrf_protection'] = FALSE; $config['csrf_token_name'] = 'csrf_test_name'; $config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_expire'] = 7200;

/* -------------------------------------------------------------------------- Output Compression
Enables Gzip output compression for faster page loads. When enabled,
the output class will test whether your server supports Gzip.
Even if it does, however, not all browsers support compression
so enable only if you are reasonably sure your visitors can handle it.
VERY IMPORTANT: If you are getting a blank page when compression is enabled it
means you are prematurely outputting something to your browser. It could
even be a line of whitespace at the end of one of your scripts. For
compression to work, nothing can be sent before the output buffer is called
by the output class. Do not 'echo' any values with compression enabled.

*/ $config['compress_output'] = FALSE;

/* -------------------------------------------------------------------------- Master Time Reference
Options are 'local' or 'gmt'. This pref tells the system whether to use
your server's local time as the master 'now' reference, or convert it to
GMT. See the 'date helper' page of the user guide for information
regarding date handling.

*/ $config['time_reference'] = 'local';

/* -------------------------------------------------------------------------- Rewrite PHP Short Tags
If your PHP installation does not have short tag support enabled CI
can rewrite the tags on-the-fly, enabling you to utilize that syntax
in your view files. Options are TRUE or FALSE (boolean)

*/ $config['rewrite_short_tags'] = FALSE;

/* -------------------------------------------------------------------------- Reverse Proxy IPs
If your server is behind a reverse proxy, you must whitelist the proxy IP
addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
header in order to properly identify the visitor's IP address.
Comma-delimited, e.g. '10.0.1.200,10.0.1.201'

*/ $config['proxy_ips'] = '';

/* End of file config.php / / Location: ./application/config/config.php */

benedmunds commented 9 years ago

That looks good. Try adding

var_dump($this->session->all_userdata());

and see what you get

anil1712 commented 9 years ago

I am also getting the same issue while trying to accessing the $this->session->all_userdata() using AJAX calls. Is there any configuration or changes required for ajax calls because its working fine with page refresh but its logged me out while accessing in ajax.

FYI: I am working on REST based application using CedeIgniter and using rest-server to implement. https://github.com/chriskacerguis/codeigniter-restserver

benedmunds commented 9 years ago

It might be your session settings in you CI config. Try setting:

$config['sess_match_useragent'] = FALSE;
benedmunds commented 9 years ago

Any updates? Closing until more information is given.