codeigniter 3.0-dev dropping sessions randomly

Question

This is a project I inherited, it says: define('CI_VERSION', '3.0-dev'); in CodeIgniter.php. It is an ecommerce site and every once in a while a customer complains they get logged out and their cart contents emptied randomly. This seems to happen over and over again for the same customer on the same day but not for anyone else. The same customer may try again a few days later from the same machine and browser and not have the issue at all. A customer complained about this yesterday and I found 7 different sessions for their IP address on the same day in ci_sessions table. Since I can never reproduce the issue myself I'm having a hard time figuring it out. I've read a number of posts online about CI dropping sessions and I've made all the suggested updates to config values that I found, hoping it would be fixed, only to have another customer complain about the exact same thing again a couple weeks later. If you've encountered this issue before maybe you can suggest some other solution?

Here are some of my config settings:

$config['sess_cookie_name']     = 'pyrocms' . (ENVIRONMENT !== 'production' ? '_' . ENVIRONMENT : '');
$config['sess_expiration']      = 0;
$config['sess_expire_on_close'] = true;
$config['sess_encrypt_cookie']  = true;
$config['sess_use_database']    = true;
// don't change anything but the 'ci_sessions' part of this. The MSM depends on the 'default_' prefix
$config['sess_table_name']      = 'default_ci_sessions';
$config['sess_match_ip']        = true;
$config['sess_match_useragent'] = true;
$config['sess_time_to_update']  = 300;

$config['cookie_prefix']    = (substr_count($_SERVER['SERVER_NAME'], '.') > 1) ? substr($_SERVER['SERVER_NAME'], 0, strpos($_SERVER['SERVER_NAME'], '.')) . '_' : 'default_';
$config['cookie_domain']    = ($_SERVER['SERVER_NAME'] == 'localhost') ? '' : $_SERVER['SERVER_NAME'];
$config['cookie_path']      = BASE_URI;
$config['cookie_secure']    = false;

$config['global_xss_filtering'] = false;

Answer 1

A customer complained about this yesterday and I found 7 different sessions for their IP address on the same day in ci_sessions table.

This seems to be the bottleneck since new sessions are created for the user; also results in unseting cart (I guess, the cart is based on $_SESSION which is regenerated/destroyed & created).

Since I can never reproduce the issue myself I'm having a hard time figuring it out.

The client might be using private browsing. Try to clear all cookies from your browser (system) to reproduce it. Related post might help you also: Remembering PHP Session Private Browsing

Still, there are some fuzzy feelings about these two lines. Why don't you increase the sess_expiration to $config['sess_expiration'] = 60 * 60 * 24; and sess_expire_on_close to $config['sess_expiration'] = false;