Session fixation and Session hijacking attack |
A quick read of this:
https://www.owasp.org/index.php/Session_fixation seems to indicate that session fixation only applies to authentication (login) where session IDs aren't updated on login. Since CodeIgniter has no authentication library, "session fixation" cannot be a problem for CodeIgniter. I quoted "session fixation" because it's really just session hijacking. Session hijacking is something that CodeIgniter attempts to limit. See this: https://en.wikipedia.org/wiki/Session_hijacking Things that are contributing to the session hijacking protection: 1) Session ID regeneration. 2) Binding a session to an IP address. If your old website was vulnerable to session hijacking, and especially if you were just playing around with PHP sessions, it's likely that you were not regenerating the session ID. See the prevention section of the wikipedia page to see that some websites will regenerate the ID on EVERY request. |
Messages In This Thread |
Session fixation and Session hijacking attack - by projack89 - 06-27-2016, 11:03 PM
RE: Session fixation and Session hijacking attack - by marksman - 06-27-2016, 11:06 PM
RE: Session fixation and Session hijacking attack - by Narf - 06-28-2016, 12:29 AM
RE: Session fixation and Session hijacking attack - by projack89 - 06-28-2016, 12:52 AM
RE: Session fixation and Session hijacking attack - by skunkbad - 06-28-2016, 01:21 AM
RE: Session fixation and Session hijacking attack - by projack89 - 06-28-2016, 02:39 AM
|