Session Collision - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=11) +--- Thread: Session Collision (/showthread.php?tid=76528) Pages:
1
2
|
RE: Session Collision - jreklund - 05-22-2020 (05-22-2020, 07:57 AM)dave friend Wrote: To help prevent session hijacking and XSS always use the following. This aren't true regarding session, it's forced to be httponly. This prevents all other cookies to be httponly thought. RE: Session Collision - dave friend - 05-22-2020 (05-22-2020, 09:54 AM)jreklund Wrote: This aren't true regarding session, it's forced to be httponly. This prevents all other cookies to be httponly thought. That is correct. CI v3 always sets session cookies for httponly. My reason for bringing it up was that ALL cookies should use that option. RE: Session Collision - A35G - 05-25-2020 Goodmorning, short update: I tried to move the sessions to the database but I couldn't find any difference. If I have a controller with a similar if inside: PHP Code: if ($this->session->userdata('mycode') === 'AAA') and one pc with two browsers open on the same page (one is Chrome and one is Firefox for example), one with the user with the AAA code and one with the BBB code, one of the two browsers will assume the identity of the other. Why? It's ridicolous! Is it my mistake? I don't understand anything about programming? Thanks again for your availability RE: Session Collision - A35G - 05-26-2020 If it's of any use to anyone: Momentarily I solved it by inserting a token in the generated login url for each user and inserting a control in each controller. (Session type match + (token in session vs token in url)) |