I had this exact same problem using Flexi Auth and it was completely maddening. We found a workaround by enabling encryption of the cookies with the setting sess_encrypt_cookie
in application/config/config.php
. (See: Session Class).
Stepping through our app with xdebug, we could see the PHP session getting regenerated when cookies were not encrypted. Enabling encryption of the cookies bypasses the block of code in the framework that keeps regenerating the session ID. The problem seems to be entirely contained in the CI framework with its handling of sessions.
EDIT
If it helps, here is the session configuration in our config.php
:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;`
The settings we have changed are the sess_encrypt_cookie
, as previously mentioned, plus driving the sessions from the database, sess_use_database
is TRUE
. For what it is worth, we do have both Ion Auth and Flexi Auth running in the same CI application. I looked at our Ion Auth config and it is mostly the stock settings. The settings we changed wouldn't relate to the session (password length, etc.).