Session Lost for CI 3.1.13 on Page Refresh

[mertdogan]

Discussed in #6247

^{Originally posted by mertdogan November 14, 2023}
Hi. I started a new CI project with CI 3.1.13.

When i refresh page everything on session lost (still on database table) and new session created.

I replaced my new system/library/session folder with CI 3.1.11 (ini_set('session.id', $params['cookie_name']); tricked) and everything works without problem and session not lost.

my simple code at controller is:

	public function test(){
		$this->load->library('session');
		var_dump(isset($_SESSION['x'])?$_SESSION['x']:null);
		$_SESSION['x']='123';
		var_dump($_SESSION['x']);
	}

when i refresh page for CI3.1.13 than NULL 123 occurs but when i load with CI3.1.11 123 123 occurs on second page load.

I test everything on stackoverflow but can't solve problem.

my php version is 7.1.19 on IIS and using database driver for session. This is my config setting:

$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ODEME_PORTAL_COOKIE';
$config['sess_samesite'] = 'None';
$config['sess_expiration'] = 0;
$config['sess_save_path'] = 'CI_SESSIONS';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix'   = Set a cookie name prefix if you need to avoid collisions
| 'cookie_domain'   = Set to .your-domain.com for site-wide cookies
| 'cookie_path'     = Typically will be a forward slash
| 'cookie_secure'   = Cookie will only be set if a secure HTTPS connection exists.
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
| 'cookie_samesite' = Cookie's samesite attribute (Lax, Strict or None)
|
| Note: These settings (with the exception of 'cookie_prefix' and
|       'cookie_httponly') will also affect sessions.
|
*/
$config['cookie_prefix']	= '';
$config['cookie_domain']	= '';
$config['cookie_path']		= '/';
$config['cookie_secure']	= FALSE;
$config['cookie_httponly'] 	= FALSE;
$config['cookie_samesite'] 	= 'None';

[plufz]

I had a similiar (maybe same) issue with the session cookies not being set, being samesite none and secure none on a localhost with self-signed ssl cert. Even on localhost the browsers did not like that. Chrome did not set the cookie at all and Safari made it samesite lax. Now it works when I use mkcert in my docker dev environment and on my mac host, so I have a valid cert everywhere. And cookie secure set to true.

[bunglegrind]

I don't think it's an issue, I couldn't replicate it (see the aforementioned discussion).

[plufz]

I don't think it's an issue, I couldn't replicate it (see the aforementioned discussion).

No, not an CI issue. It is just a matter of many browsers not accepting cookies with samesite none combined with non-secure (http or https self-signed cert). A configuration issue.

[privatecore]

@mertdogan check your log files -> you should have errors with this configuration:
https://github.com/bcit-ci/CodeIgniter/blob/3.1-stable/system/libraries/Session/Session.php#L183

also, take a look at this article:
https://web.dev/articles/samesite-cookies-explained#samesitenone_must_be_secure

in short: a session with SameSite=None without the Secure parameter will not be saved in the browser's cookie jar, so your session will be new with every page refresh