Codeigniter session security

How can I increase the security of my sessions?

$this->session->userdata('userid')

I've been throwing this little bad boy around for my ajax calls. Some cases I haven't. Then I was like, is this really secure using id from the DOM? what if the DOM is changed to hack user accounts data? So then I was like I guess anytime a user is doing something relating to their id, only sessions should be referenced. Am I right?

Referenced like so:

$this->some_model->do_data_stuff($dataId, $this->session->userdata('userid'));

Then I read this:

While the session data array stored in the user's cookie contains a Session ID, unless you store session data in a database there is no way to validate it. For some applications that require little or no security, session ID validation may not be needed, but if your application requires security, validation is mandatory. Otherwise, an old session could be restored by a user modifying their cookies. http://codeigniter.com/user_guide/libraries/sessions.html

I'm not going to be storing financial data but I don't want any data on my site corrupted ever. Does SO use session validation? How much overhead will this validation cost? How would a session be hacked? What are some things to look out for with session security?

-------------Problems Reply------------

Using CodeIgniter sessions with database is going to be fairly secure. You just don't have to trust the input that the user gives. Even if you are using AJAX, the CodeIgniter session will work just like any standard call, so the same security goes on.

What happens with the CodeIgniter session is that the server stores the cookie, and every time the user does an action that would change the content of the cookie, it is first compared to the previous cookie.

If the user changes the content of the session cookie in the browser, CodeIgniter will notice on the next server call, and create a new session for the user, basically logging him out.

CodeIgniter doesn't really need the data stored in the cookie in the user's browser, and as long as you're using

$this->session->userdata('userid');

you're going to get trusted server-side data. The user can't change that. Furthermore, the cookie can be encrypted, and you should have it encrypted. Just look in config.php of CodeIgniter.

There are several other protections around the session data: the short refresh timeout (usually 300 seconds), it checks if the IP changed, and if the browser changed. In other words, in the worst case scenario, the only way to spoof the session data is by having the same version of the browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and getting this done within 5 minutes.

So, watch out for the guy sitting beside you!

Category:codeigniter Views:2 Time:2011-12-09

Related post

  • Codeigniter/PHP sessions security question 2011-06-11

    I'm developing a web application using Codeigniter. When a user authenticates with my site I'm currently storing their 'user-identifier' in my session cookie (which I have enabled encryption on). Several of my model classes use the value in 'user-ide

  • Safe timeout value for codeigniter session class? 2009-08-11

    I am using codeigniter's session class to handle my PHP sessions. One of the session variables automatically created on every visit to the site is session_id: The user's unique Session ID (this is a statistically random string with very strong entrop

  • CodeIgniter sessions vs PHP sessions 2010-01-05

    I'm relatively new to CodeIgniter and am making my first CI project in which there are user-accounts, etc. In the past, I have always used PHP's $_SESSION variable to this end. However, CI seems to have its own session mechanism, which it claims is "

  • Codeigniter Session Data not available in other pages after login 2010-03-15

    So, I have set up a login page that verifies the user's credentials, and then sets codeigniter session data 'email' and 'is_logged_in' and a few other items. The first page after the login, the data is accessible. After that page, I can no longer acc

  • CodeIgniter sessions 2011-11-09

    Why is it recommended to store CodeIgniter sessions in a database table? I know it's about security but how? why is it required to set an encryption key in the config when using the Session class? Are you supposed to decrypt the session? Does $this-

  • CodeIgniter Session Class and disable logging in from 2 different places at the same time to the same account 2011-11-24

    I wonder how to disable logging into the one account, eq. admin from 2 different places/PC's/browsers/so on using CodeIgniter Session Class and MySQL database? Any suggestions? --------------Solutions------------- Keep a "uniqueID" field for each acc

  • session security in OOP/MVC 2012-04-07

    This question is specifically about how to correctly implement session security in a function/OOP/MVC based environment. I am familiar with session security in a procedural file - if I have a control_panel.php file that is written procedurally, I can

  • Codeigniter sessions issue 2012-04-10

    I am using codeigniter. I have a weird problem with the sessions. I set the session when the user logs in and redirects him to a new page. I observe that the sessions are set sometimes and sometimes they aren't set. I have tried using codeigniter ses

  • How do sites support http (non-SSLed) sessions securely? 2009-04-09

    I note that some sites (such as gmail) allow the user to authenticate over https and then switch to http with non-secure cookies for the main use of the site. How is it possible to have http access to a session but this still be secure? Or is it not

  • Are there any session security loopholes in my PHP script? 2009-05-01

    After I authenticate user login info, i create this session for them: $_SESSION['username']= $userName; Then, I redirect them like this: header('Location:www.domain.com/profile/' . $_SESSION['username']; I want my website to have a beauty URL, someth

  • Codeigniter Session database 2010-01-14

    I am trying to build a system the remembers the user's interactions with a website, for example my site allows the users to build their own navigation system, but I want the system to be able to remember the navigation's system they choose without th

  • Php sessions secure log in 2010-04-23

    My question is about creating a secure log in routine. After comparing the user name and password to the stored values I set a session variable called logged to true. Then as the user surfs around the web page I just check the logged variable for tru

  • codeigniter session issue - some session info not sticking 2011-01-25

    I'm using codeigniter session library to hold data that is used in a series of 3 pages and I'm experiencing strange behavior. My session variables remain in tact but the values disapear. Even stranger: I'm trying to store a serialized array in my ses

  • CodeIgniter session losing data 2011-01-25

    I'm not sure why, but I am losing my CodeIgniter session data between pages. And the session ID is changing. What could cause this? Shouldn't it be accessible from any page once it is set? Session data is set here in the configuration page: <?php

  • Several questions on PHP Session security, data storage, and data removal 2011-03-06

    I have several questions about PHP sessions: I am expecting my Apache server to remove old php session data from server automatically, when the session expires. Is this a setting somewhere in PHP or somewhere else in the server? For example, I have t

  • PHP Session Security for Mobile Devices 2011-03-16

    I did see this excellent post on PHP session Security and I wanted to know if all apply to mobile devices as well? Is there anything that you would add/change? --------------Solutions------------- Mobile device or non-mobile device changes nothing fo

  • CodeIgniter Session Disappear Bug? 2011-04-06

    I am using CI 1.7.3 and here are my settings: $config['sess_cookie_name'] = 'ci_session'; $config['sess_expiration'] = 0; $config['sess_encrypt_cookie'] = FALSE; $config['sess_use_database'] = TRUE; $config['sess_table_name'] = 'sessions'; $config['s

  • CodeIgniter Session and Flash Uploaders 2011-07-14

    I'm trying to solve the problem of session data getting lost when using any flash uploader (uploadify or SWFupload) with CodeIgniter. I have tried by passing the session_id and start session using the old session_id, even then I can not get the data

  • PHP Session Security Question 2011-08-21

    I was doing some research on StackOverflow on how to properly set sessions and prevent hijacking, etc. I found an answer that someone posted on one of the questions and he provided the following code: For when a user logs in and the username and pass

Copyright (C) dskims.com, All Rights Reserved.

processed in 0.078 (s). 11 q(s)