Databases
StackOverflow2013
Postsdbo
POCookie replay after logout php CodeIgniter
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POCookie replay after logout php CodeIgniter
    text
    copied!<p>I have an application where the login and logout works correctly. Once the user logs out, and tries to access a page he needs authentication for, he is redirected to the login screen.</p> <p>Where my problem lies is. If while I am logged in, if I copy the cookie values and save them on a file. After logout, I alter the cookie and add the same values, I get logged back in into the application as the same user.</p> <p>On logout I have written a function that loops over all the cookies and deletes them. </p> <p>My understanding is that cookies are both on the client and also on the server side. So if the cookies are getting deleted, they are getting deleted on both the sides and that the server would not recognize them after they have been cleared, even if the browser sends them back again(apparently that is not the case, i think).</p> <p>The reason why I am doing this is because this is one of the points raised by our security auditor, and I need to get a way to fix this hole. (At this point doing https is not feasible)</p> <p>I'd be happy if someone can give me pointers on how I can clear out the cookies on the server side as well, so, when the next time someone hits the server with the same cookie, it does not accept it as a valid cookie.</p> <p><strong>Edit:</strong></p> <p>I am using codeigniter sessions and tank_auth as the authentication library. At logout, the library itself calls </p> <p><code>$this-&gt;ci-&gt;session-&gt;sess_destroy();</code></p> <p>to be extra sure, I tried the following after a few attempts :</p> <pre><code>session_start(); session_unset(); session_destroy(); session_write_close(); setcookie(session_name(),'',0,'/'); session_regenerate_id(true); </code></pre> <p><i>My regular logout works, and if I try to access the page directly it does not open.</i></p> <p><b>But</b> if while I am logged in, I take my cookie, save it somewhere -- log-out successfully and replace the cookie with my older one, I get right back into the session.</p> <p>Is there a way to stop this behavior -- Where the server side will not entertain a session after it has been destroyed. I also made sure that my server and php are on the same timezone (setting it with <code>date_default_timezone_set</code>).</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload