Don't regenerate sessions during AJAX requests

narfbg · narfbg · commit 3ce60fcfd0c4 · 2015-01-21T21:27:23.000+02:00
This is a partial fix ... no locking = not safe for concurrency,
but so many people have complained about it, that we might as well
just commit this.
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
@@ -360,7 +360,7 @@ function sess_create()
 	function sess_update()
 	{
 		// We only update the session every five minutes by default
-		if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
+		if ($this->CI->input->is_ajax_request() OR ($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
 		{
 			return;
 		}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
@@ -81,6 +81,7 @@ <h3>Bug fixes:</h3>
 	<li>Fixed a bug (#2508) - <a href="libraries/config.html">Config Library</a> didn't properly detect if the current request is via HTTPS.</li>
 	<li>Fixed a bug (#3314) - SQLSRV <a href="database/index.html">Database driver</a>'s method <samp>count_all()</samp> didn't escape the supplied table name.</li>
 	<li>Fixed a bug (#3404) - MySQLi <a href="database/index.html">Database driver</a>'s method <samp>escape_str()</samp> had a wrong fallback to <samp>mysql_escape_string()</samp> when there was no active connection.</li>
+	<li>Fixed a bug in the <a href="libraries/sessions.html">Session Library</a> where session ID regeneration occurred during AJAX requests.</li>
 </ul>
 
 <h2>Version 2.2.0</h2>

Original file line number	Diff line number	Diff line change
`@@ -360,7 +360,7 @@ function sess_create()`
`360`	`360`	`function sess_update()`
`361`	`361`	`{`
`362`	`362`	`// We only update the session every five minutes by default`
`363`		`- if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)`
	`363`	`+ if ($this->CI->input->is_ajax_request() OR ($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)`
`364`	`364`	`{`
`365`	`365`	`return;`
`366`	`366`	`}`