Session fixation and Session hijacking attack |
Hi All,
I have questions, how Codeigniter can prevent Session fixation and Session hijacking attack ? My Old Web application have problem with Session fixation and Session hijacking attack. I have plan will recreate with Codeigniter. Does Codeigniter save from this attack ? Thank you Daniel Yulianto (06-27-2016, 11:03 PM)projack89 Wrote: Hi All, By using $this->security->xss_clean() you can prevent session hijacking / xss
God Bless CI Contributors
(06-27-2016, 11:06 PM)marksman Wrote:(06-27-2016, 11:03 PM)projack89 Wrote: Hi All, You don't know what you're talking about; please don't talk about things that you don't understand. (06-28-2016, 12:29 AM)Narf Wrote:(06-27-2016, 11:06 PM)marksman Wrote:(06-27-2016, 11:03 PM)projack89 Wrote: Hi All, Hi Narf, Do you have any explanation to me ? Does codeigniter can prevent Session fixation and Session hijacking attack ?
A quick read of this:
https://www.owasp.org/index.php/Session_fixation seems to indicate that session fixation only applies to authentication (login) where session IDs aren't updated on login. Since CodeIgniter has no authentication library, "session fixation" cannot be a problem for CodeIgniter. I quoted "session fixation" because it's really just session hijacking. Session hijacking is something that CodeIgniter attempts to limit. See this: https://en.wikipedia.org/wiki/Session_hijacking Things that are contributing to the session hijacking protection: 1) Session ID regeneration. 2) Binding a session to an IP address. If your old website was vulnerable to session hijacking, and especially if you were just playing around with PHP sessions, it's likely that you were not regenerating the session ID. See the prevention section of the wikipedia page to see that some websites will regenerate the ID on EVERY request. (06-28-2016, 01:21 AM)skunkbad Wrote: A quick read of this: Hi Skunkbad, Thank's for your reply. I was interesting with this point Quote:Things that are contributing to the session hijacking protection: I have search on google about that point and find this information http://stackoverflow.com/questions/63171...28#6317228 "12down voteaccepted Open your /application/config/config.php, locate "sess_use_database" and change it to "TRUE" if you haven't already. This way all session variables will be stored in a database table and session cookie will only contain session id string. For added security, you can also change "sess_match_ip" to TRUE. This way if someone steals your user's cookie and tries to pass it as their own, session will be destroyed." My questions, Does that point is enaugh ? Thank's |
Welcome Guest, Not a member yet? Register Sign In |