-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Session cookies are sent twice with Ajax #6166
Comments
I have created repo for test this issue at https://github.com/skuadron45/ajaxmythauth Links: What have i done for resolve this issue: Routes: $routes->get('test', function () {
$oldSession = session()->session_id;
$oldData = session()->get();
session()->regenerate();
$newSession = session()->session_id;
$newData = session()->get();
return json_encode([
'old' => $oldSession,
'old_data' => $oldData,
'new' => $newSession,
'new_data' => $newData
]);
}); Result for Set Cookie on Response Header when i request it with browser Result for Set Cookie on Response Header when i request it with curl is sent twice but the order for Set Cookie was same for old and new
Result for Set Cookie on Response Header when i request it with ajax jquery on browser. As you can see on above, if i request it with curl and jquery ajax, Set Cookie was sent twice in my environment. I will try to change my Apache to know about bug issue on Apache related to this statement
Thanks |
Workaround solution from me for ajax request: $routes->get('test', function () {
$oldSession = session()->session_id;
$oldData = session()->get();
session()->regenerate();
$newSession = session()->session_id;
$newData = session()->get();
Services::response()->getCookieStore()->clear(); //add this line
return json_encode([
'old' => $oldSession,
'old_data' => $oldData,
'new' => $newSession,
'new_data' => $newData
]);
}); and the result was only one Set Cookie for the new session id I hope i can know if this issue was bug for my Apache or in CI, because after this commit about cookie send on response, the ordering of Set Cookie was changed. |
comment if you have some issue like me if using ajax only |
I reproduced this bug. $routes->get('test', static function () {
$oldSession = session()->session_id;
$oldData = session()->get();
session()->regenerate();
$newSession = session()->session_id;
$newData = session()->get();
return json_encode([
'old' => $oldSession,
'old_data' => $oldData,
'new' => $newSession,
'new_data' => $newData,
]);
}); Send the following request more than once. $ curl -v -c cookiejar -b cookiejar -H 'X-Requested-With: xmlhttprequest' http://localhost:8080/test
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /test HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: ci_session=kcsk74kjdslm0nsv69f9h57kl920gbhj
> X-Requested-With: xmlhttprequest
>
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Tue, 21 Jun 2022 07:43:00 GMT
< Connection: close
< X-Powered-By: PHP/8.0.20
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
* Replaced cookie ci_session="c4hq1solt7gjhsl3vekoaevmon6p8sga" for domain localhost, path /, expire 1655804580
< Set-Cookie: ci_session=c4hq1solt7gjhsl3vekoaevmon6p8sga; expires=Tue, 21-Jun-2022 09:43:00 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax
< Cache-control: no-store, max-age=0, no-cache
< Content-Type: text/html; charset=UTF-8
< Debugbar-Time: 1655797380.056830
< Debugbar-Link: http://localhost:8080/index.php?debugbar_time=1655797380.056830
* Replaced cookie ci_session="kcsk74kjdslm0nsv69f9h57kl920gbhj" for domain localhost, path /, expire 1655804580
< Set-Cookie: ci_session=kcsk74kjdslm0nsv69f9h57kl920gbhj; expires=Tue, 21-Jun-2022 09:43:00 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax
<
* Closing connection 0
{"old":"kcsk74kjdslm0nsv69f9h57kl920gbhj","old_data":{"__ci_last_regenerate":1655797370},"new":"c4hq1solt7gjhsl3vekoaevmon6p8sga","new_data":{"__ci_last_regenerate":1655797380}} |
This bug is because of the CodeIgniter4/system/Session/Session.php Lines 242 to 256 in eac264e
|
If a site uses a lot of Ajax requests, does it updating cookies so that session cookies don't expire? |
@skuadron45 I sent a PR #6167 |
i already testing this commit, and it work, you are awesome @kenjis With ajax on browser: Set Cookie only once. As you can see, Set Cookie still sent twice, but for the last order was new session and like just before v 4.2.0 The question is, is this normal Set Cookie sent twice if we request with CURL ? I just wanna say, "Thanks kenjis for resolve this bug" |
I did not expect twice. It may be the bug of Apache and Session cookie of PHP. I don't reproduce with $ curl -sv -H 'X-Requested-With: xmlhttprequest' http://localhost:8080/test
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /test HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
> X-Requested-With: xmlhttprequest
>
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Tue, 21 Jun 2022 21:24:18 GMT
< Connection: close
< X-Powered-By: PHP/8.0.20
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: ci_session=g3olhnaja8ph38c38h8h8qbvajlnfe8e; expires=Tue, 21-Jun-2022 23:24:18 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax
< Cache-control: no-store, max-age=0, no-cache
< Content-Type: text/html; charset=UTF-8
< Debugbar-Time: 1655846658.941136
< Debugbar-Link: http://localhost:8080/index.php?debugbar_time=1655846658.941136
<
* Closing connection 0
{"old":"b1n05t5aocklspaandrgg71c7m8snmgi","old_data":[],"new":"g3olhnaja8ph38c38h8h8qbvajlnfe8e","new_data":{"__ci_last_regenerate":1655846658}} |
v4.2.0
See #5656 (comment)
The text was updated successfully, but these errors were encountered: