Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming CodeIgniter Session cookies and Apache mod_security not compatible?
CodeIgniter Session cookies and Apache mod_security not compatible?
  • El Forum
    Unregistered
  •  
#1
05-03-2013, 09:54 AM

[eluser]neoflame[/eluser]
My host uses mod_security for Apache which checks cookies for SQL injections (among other things) and incorrectly identifies ci_session cookies as harmful because of the number of special characters in the encrypted form. This causes a 403 Forbidden error on every path the cookie applies to.

Apache log file:
Code:
"Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"... "at REQUEST_COOKIES:ci_session"

The site it being moved from the previous host which did not use mod_security, so the entire site is already written with the native session class.

Does anyone know what my options are?
Can I change the encryption method to one that doesn't tip mod_security?
Can I replace the native session class with a third party one which uses the same syntax?

Any help appreciated!

Stephen
  • El Forum
    Unregistered
  •  
#2
05-03-2013, 10:56 AM

[eluser]TheFuzzy0ne[/eluser]
To disable mod_security, placing the following in your .htaccess file (before any routing), should work.

Code:
<IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

Alternatively, encrypting the cookie might work. In ./application/config/config.php:

Code:
$config['sess_encrypt_cookie'] = TRUE;
  • El Forum
    Unregistered
  •  
#3
05-03-2013, 11:27 AM

[eluser]neoflame[/eluser]
[quote author="TheFuzzy0ne" date="1367603796"]To disable ...[/quote]
Hello, thanks for the reply. Unfortunately that htaccess code doesn't seem to make any difference. Perhaps the server is configured to not allow disabled mod_security on a site-by-site basis? I've tried adding new rules and instructing it to allow the transaction but that proved unsuccessful too.
The cookies are already encrypted, but unencrypting them doesn't help either unfortunately.
  • El Forum
    Unregistered
  •  
#4
05-03-2013, 12:53 PM

[eluser]neoflame[/eluser]
I've had success swapping out the built-in session class with this third party one https://github.com/EllisLab/CodeIgniter/...sion-Class
I chose it because the method syntax is exactly the same allowing me to reuse my old code.

Anyone else with this problem: BE AWARE that any other users with the old cookie still on their machine will still be BLOCKED by mod_security unless you do something about that, which I am working on myself now.
  • El Forum
    Unregistered
  •  
#5
05-04-2013, 04:25 AM

[eluser]TheFuzzy0ne[/eluser]
I think I'd speak to the Web host, and ask them what they suggest. They may be able to disable it for your vhost, or give you some way of overriding it. I'm not sure what character is causing the problem. The only ones I can think of, are either a '=' or a semi-colon. I've used quite a lot of hosts in the past, and I've never come across this problem. Security is a good thing, for sure, but I can't help thinking that mod_security is a bit too anal for a shared host environment (assuming it's shared).




Theme © iAndrew 2016 - Forum software by © MyBB