| Some security concerns with session libary |
[eluser]terrorVogel[/eluser]
Hi all, when you set sess_use_database to true, it seems that all data is still stored in the cookie. Actually the ip and browser check are against the values received from the client, and these values cannot be trusted. I have modified the session libary that it suits my needs and i would like to share it with you. Feel free to use without warranty. Changes: All session data will be stored in the database, the cookie will only contain the sessionId Changes: A session is started only when data is needed to be stored. have a nice day.
[eluser]terrorVogel[/eluser]
ok i cannot upload phpfiles... so here is the code: Edit: Code is too long ... but it into an archive ...
[eluser]terrorVogel[/eluser]
I just found out that the session class does create a session even when i dont want to start one. Some users do not want to be tracked (and i respect their privacy) and additionally visitors who do not login should not get a free cookie on my site. :-) when i call $this->load->library('session'); in my usercontroller class, a session is created instantly, although i just would like to check if the client has been assigned a session id. i have just made some more changes to session.php and changed this behaviour...
[eluser]WanWizard[/eluser]
You need the session to maintain state in a stateless environment, you can't do without. Or do you want to pass all session data back and forth on every request? Having a session has absolutely nothing to do with being tracked (unless you specifically pull data out of sessions server-side to track your users).
[eluser]terrorVogel[/eluser]
[quote author="WanWizard" date="1373723534"]You need the session to maintain state in a stateless environment, you can't do without. Or do you want to pass all session data back and forth on every request? Having a session has absolutely nothing to do with being tracked (unless you specifically pull data out of sessions server-side to track your users).[/quote] I think you got me wrong. I use codeigniter sessions to store the userid when the user is logged in. So when the user comes with a session, i need to check if this session is valid and load the userid from the session table from the database server. When the user does not come with a session, i know the user is not logged in and i dont need a session to be created (until he decides to login) When a session is created, the site trys to place a cookie on the client. On some systems, the user is informed about that. The user does not know how this cookie is used so he might think he is being tracked. Addionally the SessionCreation Function does take some time to create a secure, valid SessionId .. so i can save a (very little) bit of performance here 
[eluser]terrorVogel[/eluser]
it seems to me that i have misunderstood the purpose of the session class, i should have used the CookieHelper. Thanks for your kind assistance.
[eluser]WanWizard[/eluser]
There is a lot of misconception about cookie usage and the EU cookie law, which indeed forces you to display a message and asks the users permission for using cookies. This is however about so-called third party or tracking cookies (for example Google Analytics), and explicitly not about session cookies that are internal to the application, and required for the application to work at all. So if your site only uses a session cookie, you don't need to display, and you don't need to ask.
[eluser]ebrainnight[/eluser]
Helpful, I was facing the same problem like terrorVogel, this thread and conversation provide me some useful info, but not having the solution, waiting for that.
[eluser]Alucemet[/eluser]
Community Auth uses a MY_Session to extend CI's Session so that Session can be autoloaded but a session cookie is not actually set until set_userdata or set_flashdata is used. Take a look here: https://bitbucket.org/skunkbad/community...at=default |
| Welcome Guest, Not a member yet? Register Sign In |
