All geek questions in one place

Codeigniter Session Security

How to increase the security of my sessions?

$this->session->userdata('userid')

I threw this little bad guy away for my ajax calls. In some cases, I did not. Then I thought: is it really safe using the id from the DOM? What if the DOM is modified to crack user account information? So, I was as if I think that someday a user does something related to their identifier, they should refer only to sessions. I'm right?

It is called like this:

 $this->some_model->do_data_stuff($dataId, $this->session->userdata('userid'));

Then I read the following:

As long as the session data array stored in the user's cookie contains the Session ID, if you do not store the session data in the database, there is no way to verify it. For some applications that require little or no security, checking the session ID may not be necessary, but if your application requires security, checking is mandatory. Otherwise, the old session may be restored by the user modifying their cookies. http://codeigniter.com/user_guide/libraries/sessions.html

I am not going to store financial data, but I do not want any data on my site to be corrupted. Does SO use session verification? How much overhead will this validation cost? How will the session be hacked? What are some things to consider when securing a session?

+6
source share
1 answer

Using CodeIgniter sessions with a database will be pretty safe. You just do not need to trust the input that the user gives. Even if you use AJAX, the CodeIgniter session will work just like any standard call, so the same protection continues.

What happens with a CodeIgniter session is that the server stores a cookie, and each time the user performs an action that changes the contents of the cookie, it is first compared to the previous cookie.

If the user changes the contents of the session cookie in the browser, CodeIgniter will notice the next time the server is called and will create a new session for the user, basically unloading it.

CodeIgniter really does not need the data stored in the cookie in the user's browser, and while you use

 $this->session->userdata('userid');

You will receive trusted server data. User cannot change this. In addition, the cookie can be encrypted and you must encrypt it. Just look in the config.php CodeIgniter.

There are several other protections around session data: a short update timeout (usually 300 seconds), it checks if the IP address has changed, and if the browser has changed. In other words, in the worst case, the only way to fake the session data is to have the same browser version that has the same IP address, get direct access to the computer to copy / paste the cookie and execute it within 5 minutes.

So watch out for the guy sitting next to you!

+18
source

Source: https://habr.com/ru/post/903434/

More articles:


All Articles