Session Error
Closed this issue · 8 comments
It seems that is something wrong with the Session Library File in the 2.2.0 version. If we downgrade the file to the 2.1.4 the login works properly. But with the 2.2.0, even if you put your credentials correct, its doesn't log us in in the system.
Yeah looks like Codeigniter had a colossal flaw in their session security so they patched it in 2.2.0 but it's killed something in how A3M is doing sessions.
This is what's generated in the log file:ERROR - 2014-07-11 07:05:55 --> Session: HMAC mismatch. The session cookie data did not match what was expected.
And for some odd reason everytime I attempt a login it creates 4 sessions in the database. Only one of which contains the user id data.
I see two changelog items related to sessions:
Security: The Session Library now uses HMAC authentication instead of a simple MD5 checksum.
Fixed a bug in the Session Library where authentication was not performed for encrypted cookies.
I think the issue we have is with the first one.
That makes sense.
Looks like the second one is what started the discussion about codeigniters session security, so they changed the encryption while they were in there.
I think I have the fix. Will push in a moment.
Can you test it to make sure I got it?
Worked like a charm.
Thank you.
Great! I still have one more bug that I discovered while working on v2 to fix and then I'll release the new version.
Cheers ;) Thanks.
I made a workaround in the development environment by adding the Session.php file of the 2.1.4, since the only change was the HMAC authentication, like AdwinTrave said. With this fix i can get the Session.php from 2.2.0.