Welcome Guest, Not a member yet? Register   Sign In
Session fixation and Session hijacking attack
#1

Hi All,
I have questions, how Codeigniter can prevent Session fixation and Session hijacking attack ? My Old Web application have problem with Session fixation and Session hijacking attack. I have plan will recreate with Codeigniter. Does Codeigniter save from this attack ?


Thank you


Daniel Yulianto
Reply
#2

(06-27-2016, 11:03 PM)projack89 Wrote: Hi All,
I have questions, how Codeigniter can prevent Session fixation and Session hijacking attack ? My Old Web application have problem with Session fixation and Session hijacking attack. I have plan will recreate with Codeigniter. Does Codeigniter save from this attack ?


Thank you


Daniel Yulianto

By using $this->security->xss_clean() you can prevent session hijacking / xss
God Bless CI Contributors Smile
Reply
#3

(06-27-2016, 11:06 PM)marksman Wrote:
(06-27-2016, 11:03 PM)projack89 Wrote: Hi All,
I have questions, how Codeigniter can prevent Session fixation and Session hijacking attack ? My Old Web application have problem with Session fixation and Session hijacking attack. I have plan will recreate with Codeigniter. Does Codeigniter save from this attack ?


Thank you


Daniel Yulianto

By using $this->security->xss_clean() you can prevent session hijacking / xss

You don't know what you're talking about; please don't talk about things that you don't understand.
Reply
#4

(06-28-2016, 12:29 AM)Narf Wrote:
(06-27-2016, 11:06 PM)marksman Wrote:
(06-27-2016, 11:03 PM)projack89 Wrote: Hi All,
I have questions, how Codeigniter can prevent Session fixation and Session hijacking attack ? My Old Web application have problem with Session fixation and Session hijacking attack. I have plan will recreate with Codeigniter. Does Codeigniter save from this attack ?


Thank you


Daniel Yulianto

By using $this->security->xss_clean() you can prevent session hijacking / xss

You don't know what you're talking about; please don't talk about things that you don't understand.

Hi Narf,
Do you have any explanation to me ? Does codeigniter can prevent Session fixation and Session hijacking attack ?
Reply
#5

(This post was last modified: 06-28-2016, 01:23 AM by skunkbad.)

A quick read of this:

https://www.owasp.org/index.php/Session_fixation

seems to indicate that session fixation only applies to authentication (login) where session IDs aren't updated on login. Since CodeIgniter has no authentication library, "session fixation" cannot be a problem for CodeIgniter. I quoted "session fixation" because it's really just session hijacking.

Session hijacking is something that CodeIgniter attempts to limit. See this:

https://en.wikipedia.org/wiki/Session_hijacking

Things that are contributing to the session hijacking protection:
1) Session ID regeneration.
2) Binding a session to an IP address.

If your old website was vulnerable to session hijacking, and especially if you were just playing around with PHP sessions, it's likely that you were not regenerating the session ID. See the prevention section of the wikipedia page to see that some websites will regenerate the ID on EVERY request.
Reply
#6

(06-28-2016, 01:21 AM)skunkbad Wrote: A quick read of this:

https://www.owasp.org/index.php/Session_fixation

seems to indicate that session fixation only applies to authentication (login) where session IDs aren't updated on login. Since CodeIgniter has no authentication library, "session fixation" cannot be a problem for CodeIgniter. I quoted "session fixation" because it's really just session hijacking.

Session hijacking is something that CodeIgniter attempts to limit. See this:

https://en.wikipedia.org/wiki/Session_hijacking

Things that are contributing to the session hijacking protection:
1) Session ID regeneration.
2) Binding a session to an IP address.

If your old website was vulnerable to session hijacking, and especially if you were just playing around with PHP sessions, it's likely that you were not regenerating the session ID. See the prevention section of the wikipedia page to see that some websites will regenerate the ID on EVERY request.

 Hi Skunkbad,
Thank's for your reply. I was interesting with this point

Quote:Things that are contributing to the session hijacking protection:
2) Binding a session to an IP address.

I  have search on google about that point and find this information
http://stackoverflow.com/questions/63171...28#6317228


"12down voteaccepted
Open your /application/config/config.php, locate "sess_use_database" and change it to "TRUE" if you haven't already. This way all session variables will be stored in a database table and session cookie will only contain session id string.
For added security, you can also change "sess_match_ip" to TRUE. This way if someone steals your user's cookie and tries to pass it as their own, session will be destroyed."


My questions, Does that point is enaugh ?


Thank's
Reply




Theme © iAndrew 2016 - Forum software by © MyBB