Databases
StackOverflow2013
Postsdbo
POCodeigniter session cookie is secure or not?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POCodeigniter session cookie is secure or not?
    primarykey
    data
    text
    <p>I'm wondering about how a user can be manipulate his cookie.</p> <p>As i know CI can know that (because the relation cookie_value/unique_key at the end of the cookie) and when happens CI renew the cookie.</p> <p>And he log this:</p> <blockquote> <p>The session cookie data did not match what was expected. This could be a possible hacking attempt</p> </blockquote> <p>The point is, some people tell about using native php session to store login data but the risk of theft is the same (and maybe less for CI cookie). The only difference i can see is user can see what data is stored in CI cookie session.</p> <p>So CI session cookie is secure or not ? Or why it is less secure than native php session ?</p> <p>I care to keep the load charge down too for a high traffic website.</p> <p>Sorry for my poor english..</p> <p><b>Edit to explain CI session validation:</b></p> <p>Assuming you <strong>do not want store sensible data</strong>, the session cookie will be not encrypted and not saved in database.</p> <p>Accordingly to CI 2.1.3 Session library, method <code>CI_Session::sess_read()</code> declared at line 135 and method <code>CI_Session::ses_write()</code> at line 235.</p> <p><b>When CI create the cookie, it put this data</b></p> <pre><code>[array] ( 'session_id' =&gt; random hash, 'ip_address' =&gt; 'string - user IP address', 'user_agent' =&gt; 'string - user agent data', 'last_activity' =&gt; timestamp ) </code></pre> <p>it serialize this array and put an md5 hash(from serialized data and the encryption key provided in config) at the end.</p> <pre><code>// if encryption is not used, we provide an md5 hash to prevent userside tampering $cookie_data = $cookie_data.md5($cookie_data.$this-&gt;encryption_key); </code></pre> <p><strong>So when the session library will be initialized from the next http request to CI</strong></p> <p>It will do and ask itself that:</p> <ol> <li>separe <code>data</code> and <code>hash</code> from the session cookie</li> <li>md5 <code>hash</code> is it equal to <code>md5( data + encryption_key )</code> ?</li> <li>Does <code>data</code> can be unserialized ?</li> <li>All the minimal data is it here ?</li> <li>this session is it expired ?</li> <li>Does IP match ?</li> <li>Does USER AGENT match ?</li> </ol> <p>If any of these answers is NO, CI session will be destroy and reset.</p> <p>So tell me please, the relative risk in addition to PHP native session for this case.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USAurel
    1. USAurel
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. COWhat do you mean by secure cookie ? Did you subverted authorization mechanisms by changig cookie value ? No, so it is secure? Did browser allow you to change cookie ? Yes. Does it mean that cookie is not secure ?
      singulars
      1. POCodeigniter session cookie is secure or not?
      1. USdamiankolasa
    2. COI udpdated my question..
      singulars
      1. POCodeigniter session cookie is secure or not?
      1. USAurel
    3. COCI session is too safe if you use database to store your session data.
      singulars
      1. POCodeigniter session cookie is secure or not?
      1. USThe Alpha
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload