+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: CI Session and Firesheap (/showthread.php?tid=35625)
CI Session and Firesheap - El Forum - 11-05-2010
[eluser]kkristo[/eluser]
How bulletproof is CI session's form firesheap (session over taking) is ?
CI Session and Firesheap - El Forum - 11-05-2010
[eluser]WanWizard[/eluser]
Firesheep uses a technique called "sidejacking" which involves intercepting the session cookie.
If used properly, CI's session cookies are save from this technique, since they contain information that links the session to a specific PC and browser (using an IP and browser agent check).
Furthermore, a CI session cookie should be encrypted, which makes it useless for any interceptor, and should also contain absolutely NO user data (so don't use cookie only sessions, use the database or another server based storage system).
Another safe measure is to allow access to your site only via HTTPS. This encrypts the communication between browser and site, so nothing can be intercepted. Encryption is CPU intensive, so think about server sizing (or possible offloading) if you want to go this route.
CI Session and Firesheap - El Forum - 11-05-2010
[eluser]kkristo[/eluser]
Thanks answer. Google test shows that HTTPS connection don't take significant more CPU. If we use cookie cryption + IP check + browser check and store data mysql, we are most case safe ? Other user can't take session over ?
CI Session and Firesheap - El Forum - 11-05-2010
[eluser]WanWizard[/eluser]
Not if you also take the other measures into account. So NO user data in the cookie (then there are no credentials to steal), and encrypt the cookie (so it's contents, the control measures like IP address can not be altered).
And yes, HTTPS server side does cost CPU. What do you think takes care of all encryption (which is a mathematical algoritm)?
Whether or not it is significant, depends on your site, your server, and the number of page requests the server has to serve.
Note, the firesheep trick is just one of the many ways of getting access to your site. CSRF is also very easy to implement, especially if you can position yourself as man-in-the-middle (which is everywhere you can use firesheep).