Welcome Guest, Not a member yet? Register   Sign In
Session fixation and Session hijacking attack
#5

(This post was last modified: 06-28-2016, 01:23 AM by skunkbad.)

A quick read of this:

https://www.owasp.org/index.php/Session_fixation

seems to indicate that session fixation only applies to authentication (login) where session IDs aren't updated on login. Since CodeIgniter has no authentication library, "session fixation" cannot be a problem for CodeIgniter. I quoted "session fixation" because it's really just session hijacking.

Session hijacking is something that CodeIgniter attempts to limit. See this:

https://en.wikipedia.org/wiki/Session_hijacking

Things that are contributing to the session hijacking protection:
1) Session ID regeneration.
2) Binding a session to an IP address.

If your old website was vulnerable to session hijacking, and especially if you were just playing around with PHP sessions, it's likely that you were not regenerating the session ID. See the prevention section of the wikipedia page to see that some websites will regenerate the ID on EVERY request.
Reply


Messages In This Thread
RE: Session fixation and Session hijacking attack - by skunkbad - 06-28-2016, 01:21 AM



Theme © iAndrew 2016 - Forum software by © MyBB