It's possible that this is the result of a session collision, but keep in mind that the real distinguishing factor behind a session is the sessionID
and not the IP or UA string. That is to say even if two users both have the same remote IP and UA string in a request where neither of them already have a session cookie in their browser, they should still each be assigned a randomly generated (hopefully unique) sessionID
, thus still distinguishing their sessions.
If you're using CI to store session in the DB there is a simple test you could do to detect whether or not a session collision has in fact occurred. In the session driver, where the session is created, check the DB table you're using for storing sessions for an existing session ID (bar matching IP/UA) against the newly generated session id by the driver and log
the matching IDs.
At least this way you'll have some indication of whether or no it's actually happening and how frequently it's happening.
Some of the root causes for session collision is poor source of entropy (PHP uses /dev/urandom
by default as of PHP 5.4, but CI may do something different); using high-collision rate hashes like md5 (try sha256 or better instead); or just having too many concurrent workers overloading the server (try lowering your php-fpm or apache prefork max children
setting, for example).
It's important to note that PHP doesn't inherently attempt to prevent session collision in general. This is mostly because such checks at runtime would be a performance cost and the expectation is that the probability of a collision occurring is rather low with good configuration (although not impossible). PHP has tons of settings for fine-tuning this in its own session manager, although codeigniter does it's own thing (and I can't be bothered to read their documentation to figure out what they do wrong to be honest).