Welcome Guest, Not a member yet? Register   Sign In
Using session class for secure logins
#1

[eluser]tokyotech[/eluser]
Can the session class be used for secure logins? I basically just want to do the CI equivalent of $_SESSION['isLoggedIn'] = TRUE. A few unanswered questions make me uncomfortable in using it:

1. Why is it using cookies to store data?

According to the manual, it says, "the Session class stores session information for each user as serialized (and optionally encrypted) data in a cookie". Then it's not really a session; it's a cookie. What's the point of a separate cookie helper if CI sessions are just cookies? Cookies are not secure because anyone can alter them with a text editor.

2. Does it prevent session fixation?

At the PHP Security Consortium, they say that a hacker can guess another user's session ID and pass it through the URL to gain control over the user's session. They suggest session_regenerate_id() each time a does a sensitive action: login, view credit card number, etc... Does CI allow setting ?PHPSESSID=1234 in the URL?

3. Session hijacking?

Again, the PHP Security Consortium, says that you need to fingerprint each user to differentiate a victim and his attacker.

4. Session logs on shared webshosts?

I don't even have time to read about this one. There are a million other questions too. I think a framework like CI should not have me ask all these questions in the first place. It should just let me use sessions securely from the get go. The documentation says nothing about security, so I must ask anyway....


Messages In This Thread
Using session class for secure logins - by El Forum - 10-16-2009, 11:49 AM
Using session class for secure logins - by El Forum - 10-16-2009, 12:28 PM
Using session class for secure logins - by El Forum - 10-16-2009, 02:28 PM
Using session class for secure logins - by El Forum - 10-16-2009, 03:10 PM
Using session class for secure logins - by El Forum - 10-16-2009, 07:56 PM
Using session class for secure logins - by El Forum - 10-16-2009, 09:55 PM
Using session class for secure logins - by El Forum - 10-16-2009, 11:13 PM
Using session class for secure logins - by El Forum - 10-17-2009, 12:09 AM
Using session class for secure logins - by El Forum - 10-17-2009, 06:47 AM
Using session class for secure logins - by El Forum - 10-18-2009, 02:17 PM
Using session class for secure logins - by El Forum - 10-18-2009, 03:23 PM
Using session class for secure logins - by El Forum - 10-18-2009, 04:13 PM
Using session class for secure logins - by El Forum - 10-18-2009, 08:29 PM
Using session class for secure logins - by El Forum - 10-18-2009, 08:31 PM
Using session class for secure logins - by El Forum - 10-19-2009, 04:05 AM
Using session class for secure logins - by El Forum - 01-07-2010, 03:00 PM



Theme © iAndrew 2016 - Forum software by © MyBB