Null Disquisition

Just a quick blurb. I had a problem with CodeIgniter regenerating the session id all willy-nilly.

Here’s a snip from the config.

$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 54000;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_match_useragent']  = TRUE;
$config['sess_time_to_update'] = 300;

Turns out, CodeIgniter will regenerate the session id every time it updates the session table in the database. So, by default the session id gets regenerated every 5 mins (300 seconds). Instead of changing the sess_time_to_update value, I dug around in the code for a bit.

Here’s the culprit. (In basedir/system/libraries/Session.php)

$old_sessid = $this->userdata['session_id'];
$new_sessid = "";
while (strlen($new_sessid) < 32)
    $new_sessid .= mt_rand(0,mt_getrandmax());
$new_sessid = md5(uniqid($new_sessid,True));

Talk about entropy…

Quick hack: comment out these lines and set $new_sessid = $this->userdata['session_id'];

-David