Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Cookie protection or crypt
Cookie protection or crypt
  • Offline UchihaSV
    Junior Member
  • **
  • Posts: 20
    Threads: 6
    Joined: Jan 2015
    Reputation: 0
#1
07-31-2022, 04:01 PM
(This post was last modified: 07-31-2022, 04:01 PM by UchihaSV.)

Hello, we use in Ci4 session and cookie for keep Logined Users and other thing which need be protected. I think session already have some protection from http server. But if need keep some info between sessions, we use Cookie which make on client side(Browser) record. And some users can modify this record. For example some sites can just write user_id in Cookie and restore session by it, because this is simple. If we use in .env file - "cookie.secure = true", this will help for above case? I'm try use this param and have many new CodeIgniter sessions in one browser session for every refresh page, and this not usable, maybe it need more configurations from http server or what? Or we need use other way to secure Cookie record, like crypt or something?
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,242
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#2
07-31-2022, 04:42 PM
(This post was last modified: 07-31-2022, 04:45 PM by kenjis.)

(07-31-2022, 04:01 PM)UchihaSV Wrote: For example some sites can just write user_id in Cookie and restore session by it, because this is simple.

It may be simple, but it is vulnerable. If I set admin user_id to my cookie, can I login your site as a admin?

(07-31-2022, 04:01 PM)UchihaSV Wrote: If we use in .env file - "cookie.secure = true", this will help for above case?

No, not at all.
You are using Session. So why don't you set user_id in Session?
It is safe. Users can't set the value and can't read the value.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply
  • Offline UchihaSV
    Junior Member
  • **
  • Posts: 20
    Threads: 6
    Joined: Jan 2015
    Reputation: 0
#3
07-31-2022, 05:54 PM
(This post was last modified: 07-31-2022, 06:03 PM by UchihaSV.)

@kenjis
Ok, then how we can resolve this problem in simple solution?

I'm remember in Ci3 some "secret_key" in settings, when u set like "sghf7hdfg6798hj6789sdfg678jsdf67" and this protect your sessions and other things? In Ci4 i do not see settings like this.
I think this can be useful for crypt cookie(and other things) and decrypt on reading by this key and as result we have protect, because client don't know secret key, maybe need use something like this for Cookies in CI4 from box?
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,242
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#4
07-31-2022, 06:22 PM

Sorry, I didn't quite understand your situation, you mean the Remember-me feature.

You can encrypt cookie data before setting it with Encryption.
https://codeigniter4.github.io/CodeIgnit...ption.html

CodeIgniter Shield has Remember-me feature. See the code:
https://github.com/codeigniter4/shield/
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply




Theme © iAndrew 2016 - Forum software by © MyBB