I'm being audited for security, and received a report listing required fixes for my web application, regarding session management.
Theses are the things I'm required to change:
1.
Create idle-timeout mechanism to end the session after 60 minutes of inactivity
- Easy enough. Under config.php I set $config['sess_expiration'] = 3600;
2.
Set up a session timeout mechanism to end the session after a long time of activity, say 10 hours. This is to block scripts from using the application.
-This one is trickier. I couldn't find a config setting in CI to achieve this. Is there? If not - how would you recommend I implement this?
3.
Session must be destroyed on application errors, so that on system crash, there will be no open session which another user can log on to.
- Huh? I'm not even sure what they mean by this...
Any pointers would be highly appreciated.
How does CI handle sessions when an error has occurred?
I'm using CI 3.1.8, and this is the current session config I use:
PHP Code:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'cisession';
$config['sess_expiration'] = 3600;
$config['sess_save_path'] = BASEPATH . '/cache/';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;
Thanks!
einav
