Session Error about a3m HOT 8 CLOSED

Yeah looks like Codeigniter had a colossal flaw in their session security so they patched it in 2.2.0 but it's killed something in how A3M is doing sessions.

This is what's generated in the log file:ERROR - 2014-07-11 07:05:55 --> Session: HMAC mismatch. The session cookie data did not match what was expected.

And for some odd reason everytime I attempt a login it creates 4 sessions in the database. Only one of which contains the user id data.

from a3m.

I see two changelog items related to sessions:
Security: The Session Library now uses HMAC authentication instead of a simple MD5 checksum.
Fixed a bug in the Session Library where authentication was not performed for encrypted cookies.

I think the issue we have is with the first one.

from a3m.

That makes sense.
Looks like the second one is what started the discussion about codeigniters session security, so they changed the encryption while they were in there.

from a3m.

I think I have the fix. Will push in a moment.

from a3m.

Can you test it to make sure I got it?

from a3m.

Worked like a charm.
Thank you.

from a3m.

Great! I still have one more bug that I discovered while working on v2 to fix and then I'll release the new version.

from a3m.

Cheers ;) Thanks.
I made a workaround in the development environment by adding the Session.php file of the 2.1.4, since the only change was the HMAC authentication, like AdwinTrave said. With this fix i can get the Session.php from 2.2.0.

from a3m.