Codeigniter Post request creating multiple sessions

Question

I have a codeigniter app. My objective is to authenticate a user, and save their name to a session var.

I make a post request from a page using a fetch:

await fetch('/api/auth/', {
  method: 'POST',
   headers: {
      'Accept': 'application/json',
      'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    Username: args['userName'],
    Password: args['password'] 
  })
})

It goes to my api and ends up in a model where is gets authenticated and saved to the session:

$this->load->library('session');
$_SESSION['userdata'] = array(
    'username' => $user,
    'testme' => 'test'
);

Then in my page controller I try and retrieve the data and see if they have validated:

defined('BASEPATH') OR exit('No direct script access allowed');

class TimeClock extends CI_Controller {

public function index()
{   

    $this->load->library('session');
    //$userdata = $this->session->set_userdata(array('test' => 'success'));
    $userdata = $_SESSION;

    var_dump($userdata);
...

Heres some relevant config stuff:

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'timeclock_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] =APPPATH . '/timeclock_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']      = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']  = FALSE;

I'm on php 7.0 and codeigniter 3.1.7

The problem i'm having, is that the session data set in the model is not present when I load the page. However, If I set session data in the controller, just some dummy data, it will be there, even after page refresh.

Looking at the actual session files, I can see two are created, Lets say session A and B.

Session A is empty (aside from the _ci_last_regenerate property CI creates) and Session B has my data (username and testme property). Looking at my browser application/cookies data I can see that Session A is being loaded only.

So somehow, the post request is counted as an entirely different session then the one my page load uses.

I have used codeigniters session library to set sessions instead of the $_SESSION global, it gives the exact same results as above, I switched to using $_SESSION because I read $this->session->set_userdata() was depricated.

EDIT

I thought id take the extra effort and illustrate the true problem with some pictures:

Loading the page (where I check the session data) creates a session, and making the post request makes a second one, here are the sessions:

The contents of the first one:

__ci_last_regenerate|i:1519850738;

The contents of the second one:

__ci_last_regenerate|i:1519850762;test|s:7:"success";

Theres the data, in the second one.

And heres what the browser is loading. The empty one. This happens consistently, and if I edit the value to match the other session, low and behold it loads my data. So it's more an issue of the session ID being assigned then actually saving the session.

Answer 1

So after a few more hours with the problem I found a solution.

First I tried making the auth request as a get request instead of a post. At first, this seemed to give the same results, but then I noticed while testing, that if I made the request using my browser (Just putting the url into the address bar) it WOULD work. So I figured the issue was with how I was making my request.

So I switched to Axios instead of using fetch() and everything works as expected now. No idea why fetch dosnt work, maybe I need some kind of header or something. Let me know if anyone can shed some light on this.

EDIT:

I have figured out why this happens a month later after reading this line in the MDN documentation for fetch()

By default, fetch won't send or receive any cookies from the server, resulting in unauthenticated requests if the site relies on maintaining a user session (to send cookies, the credentials init option must be set).