CodeIgniter Forums

Full Version: Session Security
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Today i tried to copy cookies from a browser to another and i found that i was logged in !

in the 2.x version there was browser-based encryption sess_match_useragent

depending on IP change is not practical sess_match_ip as IPs change periodically

So, Guys what is the solution to this problem ?
I guess the logic there is, if attacker already can access cookies in one browser, he already has access to user session and adding check to see if they now use same session in different browser offers very little in terms of actually stopping attacker - they can just keep using original browser for whatever they wanted to do.

You can try to regenerate session ID, so older IDs expire relatively quickly, but that means if user is idle for longer periods, they would need to log back in.

Depends what kind of app you are developing. If it's for example bank app, no one sits there all day long, so you can assume user wants to do specific thing and don't mind if they are logged out after 5 minutes, for example. On flip side, if it's app user wants to use throughout the day, but in short bursts, if they have to log in 10-15 times a day, they will have negative experience too.
(10-22-2018, 03:49 AM)Pertti Wrote: [ -> ]...

You can try to regenerate session ID, so older IDs expire relatively quickly, but that means if user is idle for longer periods, they would need to log back in.

...

Session regeneration has nothing to do with session expiration. If regeneration of a session ID is causing logouts, then there's something wrong with the authentication package, not CodeIgniter's session.