Login

nicola.jones_redcrake.com · 10-16-2019, 07:47 AM

I'm struggling to figure out how the session id validation should work. (CI version 3.1.11, PHP 7.2)

1. Nobble the cookie session value to some 32 character string in the browser
2. Submit the request

I would expect the submitted cookie value to be ignored i.e. a new session id to be generated as per use_strict_mode but this is not what happens.

Debug:
Session_driver php5_validate_id successfully detects the invalid id and the value of the cookie_name in the $_COOKIE array is unset.
Session_files_driver open function is then called with the user injected session id and subsequently opens a new session using that id.

What am I missing - perhaps I've misunderstood but I thought CI enforced use_strict_mode to prevent this?

Any help gratefully received. Security audit has failed us on this but I know the previous bug in this area was resolved in 3.1.9.