Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming User ID, session data and security
User ID, session data and security
  • El Forum
    Guest
  •  
#8
05-31-2011, 09:36 AM

[eluser]WanWizard[/eluser]
Ok, so not THAT secure... :coolsmile:

If you're only concern is cookie hijacking, know that CI tries to mitigate that by adding the user's IP and User Agent string in the cookie, together with the session ID and a timestamp.
The cookie payload then gets encrypted (make sure you set a good and random encryption key in your session config!).
Also, CI by default rotates the session ID every 5 minutes.

So, you can hijack a session if:
- your PC has the same IP address are the one you stole the cookie from (or you're able to fake that)
- you use exactly the same browser (or you know the exact user agent string and fake it)
- use it to attack within the session ID rotation time left
or if you can crack the encryption, guess someone elses session id, and construct your own cookie.

In short, a lot safer than some other session inplementations, including PHP's own session management.

As for cheap certificates, see http://www.whichssl.com/comparisons/price.html

p.s. and you can trust the other applications? Because if one of those gets hacked, they can use it to access your database config, find the database name, userid and password, and login to your database. Only needs a few lines of PHP...


Messages In This Thread
User ID, session data and security - by El Forum - 05-31-2011, 05:53 AM
User ID, session data and security - by El Forum - 05-31-2011, 06:36 AM
User ID, session data and security - by El Forum - 05-31-2011, 07:06 AM
User ID, session data and security - by El Forum - 05-31-2011, 07:11 AM
User ID, session data and security - by El Forum - 05-31-2011, 07:53 AM
User ID, session data and security - by El Forum - 05-31-2011, 08:18 AM
User ID, session data and security - by El Forum - 05-31-2011, 09:17 AM
User ID, session data and security - by El Forum - 05-31-2011, 09:36 AM
User ID, session data and security - by El Forum - 06-01-2011, 01:17 AM
User ID, session data and security - by El Forum - 06-01-2011, 02:57 AM
User ID, session data and security - by El Forum - 06-01-2011, 03:00 AM
User ID, session data and security - by El Forum - 06-01-2011, 03:10 AM
User ID, session data and security - by El Forum - 06-01-2011, 03:20 AM
User ID, session data and security - by El Forum - 06-01-2011, 03:26 AM
User ID, session data and security - by El Forum - 06-01-2011, 03:41 AM
User ID, session data and security - by El Forum - 06-01-2011, 06:16 AM
User ID, session data and security - by El Forum - 06-01-2011, 06:20 AM
User ID, session data and security - by El Forum - 06-01-2011, 11:38 AM
User ID, session data and security - by El Forum - 06-02-2011, 11:39 PM



Theme © iAndrew 2016 - Forum software by © MyBB