Using session class for secure logins

#16
[eluser]WebsiteDuck[/eluser]
Sorry to bring up a 3 month old thread but I share the concern about CI sessions being insecure.

If you are not going to use encryption+database (which would be more secure) then you should just use PHP sessions.

In PHP sessions, an attacker can compromise one account by hijacking the sessionid, which is unlikely but not impossible. Data is stored server-side and cannot be changed by a user unless they have access to the webserver.

In the default CI sessions, any user can modify their cookie and change, for instance, their logged in username. This compromises every account.

Using CI sessions with encryption and database would be more secure though, I believe. This should make sessionid hijacking less likely.

So thats my two cents. Coders should not assume default CI sessions act like PHP sessions, or they risk being insecure. Feel free to correct me if I'm mistaken anywhere.


Messages In This Thread
Using session class for secure logins - by El Forum - 10-16-2009, 11:49 AM
Using session class for secure logins - by El Forum - 10-16-2009, 12:28 PM
Using session class for secure logins - by El Forum - 10-16-2009, 02:28 PM
Using session class for secure logins - by El Forum - 10-16-2009, 03:10 PM
Using session class for secure logins - by El Forum - 10-16-2009, 07:56 PM
Using session class for secure logins - by El Forum - 10-16-2009, 09:55 PM
Using session class for secure logins - by El Forum - 10-16-2009, 11:13 PM
Using session class for secure logins - by El Forum - 10-17-2009, 12:09 AM
Using session class for secure logins - by El Forum - 10-17-2009, 06:47 AM
Using session class for secure logins - by El Forum - 10-18-2009, 02:17 PM
Using session class for secure logins - by El Forum - 10-18-2009, 03:23 PM
Using session class for secure logins - by El Forum - 10-18-2009, 04:13 PM
Using session class for secure logins - by El Forum - 10-18-2009, 08:29 PM
Using session class for secure logins - by El Forum - 10-18-2009, 08:31 PM
Using session class for secure logins - by El Forum - 10-19-2009, 04:05 AM
Using session class for secure logins - by El Forum - 01-07-2010, 03:00 PM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.