Login

***jreklund*** · 05-22-2020, 09:54 AM

(05-22-2020, 07:57 AM)dave friend Wrote: To help prevent session hijacking and XSS always use the following.

PHP Code:
$config['cookie_httponly'] = true;

This aren't true regarding session, it's forced to be httponly. This prevents all other cookies to be httponly thought.

dave friend · 05-22-2020, 10:47 AM

(05-22-2020, 09:54 AM)jreklund Wrote: This aren't true regarding session, it's forced to be httponly. This prevents all other cookies to be httponly thought.

That is correct. CI v3 always sets session cookies for httponly. My reason for bringing it up was that ALL cookies should use that option.

A35G · 05-25-2020, 01:59 AM

Goodmorning,
short update:

I tried to move the sessions to the database but I couldn't find any difference.

If I have a controller with a similar if inside:

PHP Code:
if ($this->session->userdata('mycode') === 'AAA')
{
    // Code for AAA
} elseif ($this->session->userdata('mycode') === 'BBB') {
    // Code for BBB
} 

and one pc with two browsers open on the same page (one is Chrome and one is Firefox for example), one with the user with the AAA code and one with the BBB code, one of the two browsers will assume the identity of the other.

Why? It's ridicolous!

Is it my mistake? I don't understand anything about programming?

Thanks again for your availability

A35G · 05-26-2020, 07:25 AM

If it's of any use to anyone:

Momentarily I solved it by inserting a token in the generated login url for each user and inserting a control in each controller.

(Session type match + (token in session vs token in url))