Session Lost for CI 3.1.13 on Page Refresh

[mertdogan]

Hi. I started a new CI project with CI 3.1.13.

When i refresh page everything on session lost (still on database table) and new session created.

I replaced my new system/library/session folder with CI 3.1.11 (ini_set('session.id', $params['cookie_name']); tricked) and everything works without problem and session not lost.

my simple code at controller is:

	public function test(){
		$this->load->library('session');
		var_dump(isset($_SESSION['x'])?$_SESSION['x']:null);
		$_SESSION['x']='123';
		var_dump($_SESSION['x']);
	}

when i refresh page for CI3.1.13 than NULL 123 occurs but when i load with CI3.1.11 123 123 occurs on second page load.

I test everything on stackoverflow but can't solve problem.

[mertdogan]

my php version is 7.1.19 on IIS and using database driver for session. This is my config setting:

$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ODEME_PORTAL_COOKIE';
$config['sess_samesite'] = 'None';
$config['sess_expiration'] = 0;
$config['sess_save_path'] = 'CI_SESSIONS';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix'   = Set a cookie name prefix if you need to avoid collisions
| 'cookie_domain'   = Set to .your-domain.com for site-wide cookies
| 'cookie_path'     = Typically will be a forward slash
| 'cookie_secure'   = Cookie will only be set if a secure HTTPS connection exists.
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
| 'cookie_samesite' = Cookie's samesite attribute (Lax, Strict or None)
|
| Note: These settings (with the exception of 'cookie_prefix' and
|       'cookie_httponly') will also affect sessions.
|
*/
$config['cookie_prefix']	= '';
$config['cookie_domain']	= '';
$config['cookie_path']		= '/';
$config['cookie_secure']	= FALSE;
$config['cookie_httponly'] 	= FALSE;
$config['cookie_samesite'] 	= 'None';

[bunglegrind]

it sounds like a cookie problem. Please check both the Set-Cookie header in the first response and the Cookie header in your following requests.

[mertdogan]

This is request cookie:

and this is response cookie:

There is a warning for response cookie as :

[mertdogan]

After change $config['cookie_secure'] = FALSE; as $config['cookie_secure'] = TRUE; warning gone but session still lost after refresh.

[mertdogan]

I think problem is cookie value for session is changing after response. Cookie name for session is ODEME_PORTAL_COOKIE. It's request and response values are different. It must be same for no problem.

[mertdogan]

My session values are:
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ODEME_PORTAL_COOKIE';
$config['sess_samesite'] = 'None';
$config['sess_expiration'] = 0;
$config['sess_save_path'] = 'CI_SESSIONS';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

[bunglegrind]

maybe the browser is misunderstanding the localhost context? anyway, you should look at the cookies stored in the browser after the first response is arrived (it should match the set-cookie header) and what cookie is sent in the following requests

[mertdogan]

119.0.6045.124

[mertdogan]

It is not about browser. Firefox and edge has same result

[mertdogan]

note that: CI3.1.11 session driver (with name to id change trick) session not occures but when i replace system folder with CI3.1.13 problem occurs. I think there is a bug at Codeigniter 3.1.13 for session driver

[bunglegrind]

note that: CI3.1.11 session driver (with name to id change trick) session not occures but when i replace system folder with CI3.1.13 problem occurs. I think there is a bug at Codeigniter 3.1.13 for session driver

no there were a couple of bugs on CI <3.1.12. see the changelog for the details

[mertdogan]

I know it bugs but i think there may be another new bug

[mertdogan]

There is a new step: when i use files as session driver everything works well. I think there is a session problem about database driver

[bunglegrind]

There is a new step: when i use files as session driver everything works well. I think there is a session problem about database driver

Ok, I tested...It works, even using the database. You have some issue with your configuration.

config.php:

$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_samesite'] = 'None';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = "ci_sessions";
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix']	= '';
$config['cookie_domain']	= '';
$config['cookie_path']		= '/';
$config['cookie_secure']	= FALSE;
$config['cookie_httponly'] 	= FALSE;
$config['cookie_samesite'] 	= 'None';

database.php:

$db['default'] = array(
	'dsn'	=> '',
	'hostname' => 'mysql',
	'username' => 'myhumbleuser',
	'password' => 'noneofyourbusiness',
	'database' => 'ci',
	'dbdriver' => 'mysqli',
	'dbprefix' => '',
	'pconnect' => FALSE,
	'db_debug' => FALSE,
	'cache_on' => FALSE,
	'cachedir' => '',
	'char_set' => 'utf8',
	'dbcollat' => 'utf8_general_ci',
	'swap_pre' => '',
	'encrypt' => FALSE,
	'compress' => FALSE,
	'stricton' => FALSE,
	'failover' => array(),
	'save_queries' => TRUE
);

table ci_sessions:

CREATE TABLE IF NOT EXISTS `ci_sessions` (
        `id` varchar(128) NOT NULL,
        `ip_address` varchar(45) NOT NULL,
        `timestamp` int(10) unsigned DEFAULT 0 NOT NULL,
        `data` blob NOT NULL,
        KEY `ci_sessions_timestamp` (`timestamp`)
);

[preciousfocus]

I have exactly this same issue on moving from C1 3.1.11 to 3.1.13.

Any headway with this?

[mertdogan]

My installation is a clean installation without any custom code

[bunglegrind]

are you sure? I see:

1. html as url suffix (default is "")
2. A custom name for the cookie
3. I see too many cookies in your first screenshot...there's something more running (try on a private tab)

Clean installation means downloading the zip and editing the configuration the very least in order to have a working instance

...and I suggest you to try Apache instead of IIS, after having setup a working clean installation

[bunglegrind]

Moreover, have you checked if the browser is sending the session cookie? It's not clear from the screenshot you provided. Maybe you can use xdebug (or print_r, var_dump, echo, etc...) ...

[mertdogan]

I don't mean clean installation as program setting. Your list tems are all about frameworks native settings.

I mean clean installation as there is not any code customization and any custom library for session or database

[mertdogan]

I have checked with Firefox and Opera too

[bunglegrind]

I don't mean clean installation as program setting. Your list tems are all about frameworks native settings.

Indeed. The question is: what are the minimum configuration settings in order to reproduce the issue?

Take in mind I couldn't replicate it. It means...there's something other.

Regarding the browser: have you tested on a private tab? Does the second request include the Cookie header with the session cookie inside?

Please notice that I've just observed a different behaviour in Chrome with respect to localhost (but no differences between db and files). Use:

$config['sess_samesite'] = 'Lax';//or strict
$config['cookie_secure'] = FALSE;

[mertdogan]

I tried in private tab too with same result.

I have tried so many settings about sess_samesite and cookie_secure but nothing changed.

Ok I will build a new project with clear installation (as you meaning) and reply results here.