Skip to content

Bug: Session timeout with "Remember me" #1241

New issue
New issue
Open
Open
Bug: Session timeout with "Remember me"#1241
Labels
bugSomething isn't workingwaiting for infoIssues or pull requests that need further clarification from the author
@gitchak

Description

@gitchak
gitchak
opened on Jan 31, 2025

PHP Version

8.3.6

CodeIgniter4 Version

4.5.8

Shield Version

1.1.0

Which operating systems have you tested for this bug?

Linux

Which server did you use?

apache

Database

8.0.41-0ubuntu0.24.04.1

Did you customize Shield?

No

What happened?

I get the below error when you return to the site after login in (with remember me).

CodeIgniter\Shield\Exceptions\LogicException: The user has User Info in Session, so already logged in or in pending login state. If a logged in user logs in again with other account, the session data of the previous user will be used as the new user. Fix your code to prevent users from logging in without logging out or delete the session data. user_id: 3
[Method: POST, Route: login]
in VENDORPATH/codeigniter4/shield/src/Authentication/Authenticators/Session.php on line 651.
1 VENDORPATH/codeigniter4/shield/src/Authentication/Authenticators/Session.php(177): CodeIgniter\Shield\Authentication\Authenticators\Session->startLogin()
2 VENDORPATH/codeigniter4/shield/src/Controllers/LoginController.php(71): CodeIgniter\Shield\Authentication\Authenticators\Session->attempt()
3 SYSTEMPATH/CodeIgniter.php(933): CodeIgniter\Shield\Controllers\LoginController->loginAction()
4 SYSTEMPATH/CodeIgniter.php(509): CodeIgniter\CodeIgniter->runController()
5 SYSTEMPATH/CodeIgniter.php(355): CodeIgniter\CodeIgniter->handleRequest()
6 SYSTEMPATH/Boot.php(334): CodeIgniter\CodeIgniter->run()
7 SYSTEMPATH/Boot.php(67): CodeIgniter\Boot::runCodeIgniter()
8 FCPATH/index.php(56): CodeIgniter\Boot::bootWeb()

Steps to Reproduce

  1. Login to with remember me.
  2. close the tab/browser with out logging out
  3. visit the site after 24hours
  4. Ci give out the "Opps!" error screen.

When "xxxx.com/logout" is the only way to get ride of this error from the front end

Expected Output

I understand from the error that a logged in session is classing with the new session. I expect if the session is out expired the flow should flush the session and redirect to be logged in again.

Anything else?

Solution is to update the vendor/source files to always logout or flush and session at login if any expired sessions are found but I don't want to manually update any core files as this would be a problem to maintain with updates.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingwaiting for infoIssues or pull requests that need further clarification from the author

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions