UPDATE: Even after downloading the "fixed" 2.2.0, update log files are still filling up with:
Session: HMAC mismatch. The session cookie data did not match what was expected.
After upgrading from CodeIgniter 2.1.3 to 2.2.0 I am getting the error:
Session: HMAC mismatch. The session cookie data did not match what was expected.
The Mcrypt extension is enabled. If I set $config['sess_encrypt_cookie'] = FALSE; (not an option for production) there is no error. Any help greatly appreciated.
Re-download the CI 2.2 archive, it was re-tagged and replaced.
CI_Input->_sanitize_globals() function sometimes break encrypted session to fix this problem, I changed /system/core/Input.php (version 2.2, line 636)
$_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
to
if(!(config_item('sess_encrypt_cookie') === TRUE) || $key!=config_item('sess_cookie_name'))
$_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
in system/libraries/Sessions.php function _set_cookie function change:
if ($this->sess_encrypt_cookie == TRUE)
{
$cookie_data = $this->CI->encrypt->encode($cookie_data);
}
else
{
// if encryption is not used, we provide an md5 hash to prevent userside tampering
$cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);
}
to:
if ($this->sess_encrypt_cookie == TRUE)
{
$cookie_data = $this->CI->encrypt->encode($cookie_data);
}
$cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);
to see if it works.
Beyond the above correction, I needed to change the following line:
if ($key === $sess_cookie_name && config_item('sess_encrypt_cookie'))
To:
if ($key === config_item('cookie_prefix') . $sess_cookie_name
&& config_item('sess_encrypt_cookie'))
Hope it helps, Regards.
