How to fix session management issues found on a security audit

How to fix session management issues found on a security audit - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: How to fix session management issues found on a security audit (/showthread.php?tid=73927)

How to fix session management issues found on a security audit - einav - 06-25-2019

I'm being audited for security, and received a report listing required fixes for my web application, regarding session management.

Theses are the things I'm required to change:
1. Create idle-timeout mechanism to end the session after 60 minutes of inactivity
- Easy enough. Under config.php I set $config['sess_expiration'] = 3600;

2. Set up a session timeout mechanism to end the session after a long time of activity, say 10 hours. This is to block scripts from using the application.
-This one is trickier. I couldn't find a config setting in CI to achieve this. Is there? If not - how would you recommend I implement this?

3. Session must be destroyed on application errors, so that on system crash, there will be no open session which another user can log on to.
- Huh? I'm not even sure what they mean by this... Huh

Any pointers would be highly appreciated.
How does CI handle sessions when an error has occurred?

I'm using CI 3.1.8, and this is the current session config I use:

PHP Code:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'cisession';
$config['sess_expiration'] = 3600;
$config['sess_save_path'] = BASEPATH . '/cache/';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE; 

Thanks!

einav

RE: How to fix session management issues found on a security audit - mladoux - 06-25-2019

If you set an option in your sessions to define the session initial start, and extend the gc function of your intended session driver, you could add code to check how long since the session was initially created ( active or not ) and destroy anything over a set time period.

For destroying a session on application error, you'll need to catch the errors using try, catch routines and destroy the session whenever an error occurs. See https://www.php.net/manual/en/language.exceptions.php

RE: How to fix session management issues found on a security audit - InsiteFX - 06-25-2019

2. Set up a session timeout mechanism to end the session after a long time of activity, say 10 hours. This is to block scripts from using the application.

-This one is trickier. I couldn't find a config setting in CI to achieve this. Is there? If not - how would you recommend I implement this?

You would need to do this using JavaScript.

Here is a link to a script that you should be able to modify to do what you need.

Session Timeout Warning With Countdown Using PHP, jQuery And HTML