Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Session Validation
Session Validation
#6
10-17-2019, 07:19 AM

(10-17-2019, 05:34 AM)php_rocs Wrote: @nicola.jones_redcrake.com,

Is it possible to see some code and where the error takes place?
Your session should be active before setting any session variables (as you mentioned above).

@php_rocs I've attached the 3 CI classes involved but this is the flow:

Browser sends user injected session cookie e.g. 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'

Session.php constructor:

Checks the cookie matches the regex etc. (unsetting the cookie name here works correctly and results in a new session with a newly generated id) 
For this use case the the injected session id matches the regex so cookie name is still set.

Then calls session_start() which invokes open and read functions.  

Session_files_driver.php open 
$this->php5_validate_id();   // this was the fix in 3.1.9 for use_strict_mode I believe

Session_driver.php:

PHP Code:
public function php5_validate_id()
{
    if (isset($_COOKIE[$this->_config['cookie_name']]) && ! $this->validateSessionId($_COOKIE[$this->_config['cookie_name']]))
    {
        unset($_COOKIE[$this->_config['cookie_name']]);
    }



Session_files_driver.php read function is still called with the user injected session id so creates a new session using that id:

PHP Code:
public function read($session_id)
{
        // This might seem weird, but PHP 5.6 introduces session_reset(),
        // which re-reads session data
        if ($this->_file_handle === NULL)
        {
            $this->_file_new = ! file_exists($this->_file_path.$session_id);

            if (($this->_file_handle fopen($this->_file_path.$session_id'c+b')) === FALSE)
            {
                log_message('error'"Session: Unable to open file '".$this->_file_path.$session_id."'.");
                return $this->_failure;
            



OWASP says user injected session id should never be used to create a session. Unsetting the cookie in php5_validate_id is insufficient it seems? (not sure why it's called php5 since I can't see any check for php version)

Attached Files
.php   Session.php (Size: 22.55 KB / Downloads: 3)
.php   Session_driver.php (Size: 4.56 KB / Downloads: 1)
.php   Session_files_driver.php (Size: 10.67 KB / Downloads: 6)
Reply


Messages In This Thread
Session Validation - by nicola.jones_redcrake.com - 10-16-2019, 07:47 AM
RE: Session Validation - by php_rocs - 10-16-2019, 08:22 AM
RE: Session Validation - by php_rocs - 10-17-2019, 05:34 AM
RE: Session Validation - by nicola.jones_redcrake.com - 10-17-2019, 07:19 AM



Theme © iAndrew 2016 - Forum software by © MyBB