CodeIgniter 2.2.0 HMAC mismatch error

Question

UPDATE: Even after downloading the "fixed" 2.2.0, update log files are still filling up with:

Session: HMAC mismatch. The session cookie data did not match what was expected.

After upgrading from CodeIgniter 2.1.3 to 2.2.0 I am getting the error:

Session: HMAC mismatch. The session cookie data did not match what was expected.

The Mcrypt extension is enabled. If I set $config['sess_encrypt_cookie'] = FALSE; (not an option for production) there is no error. Any help greatly appreciated.

Answer 1

CI_Input->_sanitize_globals() function sometimes break encrypted session to fix this problem, I changed /system/core/Input.php (version 2.2, line 636)

$_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);

to

if(!(config_item('sess_encrypt_cookie') === TRUE) || $key!=config_item('sess_cookie_name'))
    $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);

Answer 2

Re-download the CI 2.2 archive, it was re-tagged and replaced.

Answer 3

in system/libraries/Sessions.php function _set_cookie function change:

if ($this->sess_encrypt_cookie == TRUE)
{
    $cookie_data = $this->CI->encrypt->encode($cookie_data);
}
else
{
    // if encryption is not used, we provide an md5 hash to prevent userside tampering
    $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);
}

to:

if ($this->sess_encrypt_cookie == TRUE)
{
    $cookie_data = $this->CI->encrypt->encode($cookie_data);
}

$cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);

to see if it works.

see: https://github.com/EllisLab/CodeIgniter/issues/3086