Codeigniter/PHP sessions security question

Posted on

Codeigniter/PHP sessions security question – Here in this article, we will share some of the most common and frequently asked about PHP problem in programming with detailed answers and code samples. There’s nothing quite so frustrating as being faced with PHP errors and being unable to figure out what is preventing your website from functioning as it should like php and session . If you have an existing PHP-based website or application that is experiencing performance issues, let’s get thinking about Codeigniter/PHP sessions security question.

I’m developing a web application using Codeigniter. When a user authenticates with my site I’m currently storing their ‘user-identifier’ in my session cookie (which I have enabled encryption on). Several of my model classes use the value in ‘user-identifier’ parameter of the session/cookie to make changes to properties of user accounts.

My concern is that I’m wondering if it’s possible for someone to take a valid codeigniter-session cookie with a user-identifier that I’ve set, change the user-identifier’s value to the value of a different user, and make changes to another user’s account. Would codeigniter/php sessions create an error if someone attempted to change a property of a session cookie?

Solution :

Open your /application/config/config.php, locate “sess_use_database” and change it to “TRUE” if you haven’t already. This way all session variables will be stored in a database table and session cookie will only contain session id string.

For added security, you can also change “sess_match_ip” to TRUE. This way if someone steals your user’s cookie and tries to pass it as their own, session will be destroyed.

it’s possible to take a
valid codeigniter-session cookie
change the user-identifier’s value to
the value of a different user, and
make changes to another user’s

My answer is not really CI related, so please bear that in mind.

When you auth the user “username1” what should be sent back to the client, for auth purposes, should be a hash that the server correlates to that user. All communication between the client and the server will rely on that hash.

The server will generate a unique hash per user and the hash should have a short time to live. Can someone capture a hash and pass as that user? Certainly. That’s why you should also check for the user’s Agent and IP to check if they match the hash in order to prevent session hijacking.

If seen some new developers storing the username in a cookie and reliing on that client sent variable to update their databases. Never do this. Do not ever, ever trust the client. When the server gets the client’s hash it should check if it belongs to an authenticated user and grab the user_id (variable to update the user data) from the server. NEVER from the client.

I’m not sure what your “user identifier” is exactly. The general rule is, don’t store anything in the session cookie but the session ID. Store everything else (like a user ID) internally on server side, and retrieve it using the session ID.

If the user changes the session ID (which is a random string), a new session will start. The idea behind the session ID is that it’s impossible to guess other user’s IDs – that’s why it’s random, and so long.

Leave a Reply

Your email address will not be published. Required fields are marked *