Session fixation and Session hijacking attack

A quick read of this:

https://www.owasp.org/index.php/Session_fixation

seems to indicate that session fixation only applies to authentication (login) where session IDs aren't updated on login. Since CodeIgniter has no authentication library, "session fixation" cannot be a problem for CodeIgniter. I quoted "session fixation" because it's really just session hijacking.

Session hijacking is something that CodeIgniter attempts to limit. See this:

https://en.wikipedia.org/wiki/Session_hijacking

Things that are contributing to the session hijacking protection:
1) Session ID regeneration.
2) Binding a session to an IP address.

If your old website was vulnerable to session hijacking, and especially if you were just playing around with PHP sessions, it's likely that you were not regenerating the session ID. See the prevention section of the wikipedia page to see that some websites will regenerate the ID on EVERY request.

 Hi Skunkbad,
Thank's for your reply. I was interesting with this point

Things that are contributing to the session hijacking protection:
2) Binding a session to an IP address.

I  have search on google about that point and find this information
http://stackoverflow.com/questions/63171...28#6317228


"12down voteaccepted
Open your /application/config/config.php, locate "sess_use_database" and change it to "TRUE" if you haven't already. This way all session variables will be stored in a database table and session cookie will only contain session id string.
For added security, you can also change "sess_match_ip" to TRUE. This way if someone steals your user's cookie and tries to pass it as their own, session will be destroyed."

My questions, Does that point is enaugh ?


Thank's