Improve session and cookie handling for user login

magicbug · magicbug · commit b6a712e84121 · 2025-11-18T22:29:49.000Z
Adds backup authentication cookie to address session issues and enhances logging for debugging session and cookie states. Updates encryption methods to handle null/empty data, refines session validation logic, and modernizes cookie parameter usage for PHP compatibility. Also improves error reporting and session cleanup during logout.
diff --git a/application/controllers/User.php b/application/controllers/User.php
@@ -1026,10 +1026,10 @@ function login()
 		$data['user'] = $query->row();
 
 		// Read the cookie remeber_me and log the user in
-		if ($this->input->cookie(config_item('cookie_prefix') . 'remember_me')) {
+		$remember_me_cookie = $this->input->cookie(config_item('cookie_prefix') . 'remember_me');
+		if ($remember_me_cookie && !empty($remember_me_cookie)) {
 			try {
-				$encrypted_string = $this->input->cookie(config_item('cookie_prefix') . 'remember_me');
-				$decrypted_string = $this->encryption->decrypt($encrypted_string);
+				$decrypted_string = $this->encryption->decrypt($remember_me_cookie);
 				$this->user_model->update_session($decrypted_string);
 				$this->user_model->set_last_login($decrypted_string);
 
@@ -1038,7 +1038,7 @@ function login()
 				redirect('dashboard');
 			} catch (Exception $e) {
 				// Something went wrong with the cookie
-				log_message('error', 'Remember Me Login Failed');
+				log_message('error', 'Remember Me Login Failed: ' . $e->getMessage());
 				$this->session->set_flashdata('error', 'Remember Me Login Failed');
 				redirect('user/login');
 			}
@@ -1054,6 +1054,25 @@ function login()
 				$this->session->set_flashdata('notice', 'User logged in');
 				$this->user_model->update_session($data['user']->user_id);
 				$this->user_model->set_last_login($data['user']->user_id);
+				
+				log_message('debug', 'Login successful - Session ID: ' . session_id());
+				log_message('debug', 'Login successful - user_id in session: ' . $this->session->userdata('user_id'));
+				
+				// Set a backup auth cookie as workaround for session issues
+				$user_id = $this->session->userdata('user_id');
+				if ($user_id) {
+					$encrypted_user_id = $this->encryption->encrypt($user_id);
+					setcookie('cloudlog_auth', $encrypted_user_id, [
+						'expires' => time() + 86400, // 24 hours
+						'path' => '/',
+						'domain' => '',
+						'secure' => false,
+						'httponly' => true,
+						'samesite' => ''
+					]);
+					log_message('debug', 'Set backup auth cookie for user_id: ' . $user_id);
+				}
+				
 				$cookie = array(
 
 					'name'   => 'language',
@@ -1075,6 +1094,14 @@ function login()
 					);
 					$this->input->set_cookie($cookie);
 				}
+				
+				log_message('debug', 'About to redirect - Session ID: ' . session_id());
+				log_message('debug', 'Session cookie name: ' . session_name());
+				log_message('debug', 'Session data: ' . print_r($_SESSION, true));
+				
+				// Force session to save
+				session_commit();
+				
 				redirect('dashboard');
 			} else {
 				$this->session->set_flashdata('error', 'Incorrect username or password!');
@@ -1091,6 +1118,9 @@ function logout()
 
 		// Delete remember_me cookie
 		setcookie('remember_me', '', time() - 3600, '/');
+		
+		// Delete backup auth cookie
+		setcookie('cloudlog_auth', '', time() - 3600, '/');
 
 		$this->user_model->clear_session();
 
diff --git a/application/models/User_model.php b/application/models/User_model.php
@@ -441,9 +441,33 @@ function update_session($id) {
 	// Validate a user's login session
 	// If the user's session is corrupted in any way, it will clear the session
 	function validate_session() {
-
+		log_message('debug', 'validate_session called');
+		log_message('debug', 'Session ID: ' . session_id());
+		log_message('debug', 'Cookie: ' . print_r($_COOKIE, true));
+		
+		// Check backup auth cookie first as workaround
+		if (!$this->session->userdata('user_id') && isset($_COOKIE['cloudlog_auth']) && !empty($_COOKIE['cloudlog_auth'])) {
+			log_message('debug', 'Session empty but backup cookie found, attempting restore');
+			$CI =& get_instance();
+			$CI->load->library('encryption');
+			try {
+				$encrypted_value = $_COOKIE['cloudlog_auth'];
+				if (!empty($encrypted_value)) {
+					$user_id = $CI->encryption->decrypt($encrypted_value);
+					if ($user_id) {
+						log_message('debug', 'Restored user_id from cookie: ' . $user_id);
+						$this->update_session($user_id);
+						return 1;
+					}
+				}
+			} catch (Exception $e) {
+				log_message('error', 'Failed to decrypt backup auth cookie: ' . $e->getMessage());
+			}
+		}
+		
 		if($this->session->userdata('user_id'))
 		{
+			log_message('debug', 'validate_session: user_id found = ' . $this->session->userdata('user_id'));
 			$user_id = $this->session->userdata('user_id');
 			$user_type = $this->session->userdata('user_type');
 			$user_hash = $this->session->userdata('user_hash');
@@ -457,6 +481,7 @@ function validate_session() {
 				return 0;
 			}
 		} else {
+			log_message('debug', 'validate_session: No user_id in session');
 			return 0;
 		}
 	}
diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php
@@ -81,8 +81,9 @@ class CI_Exceptions {
 	 */
 	public function __construct()
 	{
-		// E_STRICT is deprecated in PHP 8.4, only add if defined
-		if (defined('E_STRICT'))
+		// E_STRICT is deprecated in PHP 8.4
+		// Only add it for PHP < 8.4
+		if (PHP_VERSION_ID < 80400 && defined('E_STRICT'))
 		{
 			$this->levels[E_STRICT] = 'Runtime Notice';
 		}
diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php
@@ -369,8 +369,12 @@ public function create_key($length)
 	 * @param	array	$params	Input parameters
 	 * @return	string
 	 */
-	public function encrypt($data, array $params = NULL)
+	public function encrypt($data, ?array $params = null)
 	{
+		if ($data === null || $data === '') {
+			return FALSE;
+		}
+		
 		if (($params = $this->_get_params($params)) === FALSE)
 		{
 			return FALSE;
@@ -504,8 +508,12 @@ protected function _openssl_encrypt($data, $params)
 	 * @param	array	$params	Input parameters
 	 * @return	string
 	 */
-	public function decrypt($data, array $params = NULL)
+	public function decrypt($data, ?array $params = null)
 	{
+		if ($data === null || $data === '') {
+			return FALSE;
+		}
+		
 		if (($params = $this->_get_params($params)) === FALSE)
 		{
 			return FALSE;
@@ -910,6 +918,9 @@ public function __get($key)
 	 */
 	protected static function strlen($str)
 	{
+		if ($str === null) {
+			return 0;
+		}
 		return (self::$func_overload)
 			? mb_strlen($str, '8bit')
 			: strlen($str);
diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php
@@ -125,6 +125,11 @@ public function __construct(array $params = array())
 		}
 
 		session_start();
+		
+		log_message('debug', 'Session started - ID: ' . session_id());
+		log_message('debug', 'Session name: ' . session_name());
+		log_message('debug', '_COOKIE contents: ' . print_r($_COOKIE, true));
+		log_message('debug', 'headers_sent: ' . (headers_sent() ? 'YES' : 'NO'));
 
 		// Is session ID auto-regeneration configured? (ignoring ajax requests)
 		if ((empty($_SERVER['HTTP_X_REQUESTED_WITH']) OR strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest')
@@ -147,11 +152,31 @@ public function __construct(array $params = array())
 			setcookie(
 				$this->_config['cookie_name'],
 				session_id(),
-				(empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
-				$this->_config['cookie_path'],
-				$this->_config['cookie_domain'],
-				$this->_config['cookie_secure'],
-				TRUE
+				[
+					'expires' => (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
+					'path' => $this->_config['cookie_path'],
+					'domain' => $this->_config['cookie_domain'],
+					'secure' => $this->_config['cookie_secure'],
+					'httponly' => TRUE,
+					'samesite' => ''
+				]
+			);
+		}
+		// Force set cookie for new sessions
+		else
+		{
+			log_message('debug', 'Setting new session cookie: ' . $this->_config['cookie_name'] . ' = ' . session_id());
+			setcookie(
+				$this->_config['cookie_name'],
+				session_id(),
+				[
+					'expires' => (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
+					'path' => $this->_config['cookie_path'],
+					'domain' => $this->_config['cookie_domain'],
+					'secure' => $this->_config['cookie_secure'],
+					'httponly' => TRUE,
+					'samesite' => ''
+				]
 			);
 		}
 
@@ -267,13 +292,14 @@ protected function _configure(&$params)
 		isset($params['cookie_domain']) OR $params['cookie_domain'] = config_item('cookie_domain');
 		isset($params['cookie_secure']) OR $params['cookie_secure'] = (bool) config_item('cookie_secure');
 
-		session_set_cookie_params(
-			$params['cookie_lifetime'],
-			$params['cookie_path'],
-			$params['cookie_domain'],
-			$params['cookie_secure'],
-			TRUE // HttpOnly; Yes, this is intentional and not configurable for security reasons
-		);
+		session_set_cookie_params([
+			'lifetime' => $params['cookie_lifetime'],
+			'path' => $params['cookie_path'],
+			'domain' => $params['cookie_domain'],
+			'secure' => $params['cookie_secure'],
+			'httponly' => TRUE,
+			'samesite' => ''
+		]);
 
 		if (empty($expiration))
 		{

Original file line number	Diff line number	Diff line change
`@@ -81,8 +81,9 @@ class CI_Exceptions {`
`81`	`81`	`*/`
`82`	`82`	`public function __construct()`
`83`	`83`	`{`
`84`		`- // E_STRICT is deprecated in PHP 8.4, only add if defined`
`85`		`- if (defined('E_STRICT'))`
	`84`	`+ // E_STRICT is deprecated in PHP 8.4`
	`85`	`+ // Only add it for PHP < 8.4`
	`86`	`+ if (PHP_VERSION_ID < 80400 && defined('E_STRICT'))`
`86`	`87`	`{`
`87`	`88`	`$this->levels[E_STRICT] = 'Runtime Notice';`
`88`	`89`	`}`