Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support Session hijacking problem
Session hijacking problem
  • Offline LuxesR
    Junior Member
  • **
  • Posts: 18
    Threads: 6
    Joined: Jun 2021
    Reputation: 0
#1
10-06-2023, 02:11 AM
(This post was last modified: 10-06-2023, 02:36 AM by LuxesR.)

I have a question about ci_session. We build our own login system with a session. We found out that if you copy and paste the ci_session and put it in an other browser, the user is logged in without seeing the login screen. I keep stuff as default as possible in CodeIgniter 4. But changed $sessionMatchIP to true in app/Config/App.php:
PHP Code:
public $sessionMatchIP true

My question is, is there a downside of having this setting on true? It feels much safer. Are there more settings to change to prevent session hijacking?
Thanks in advance.
I found out that the location of this setting has been changed since v4.4.0, but the question remains the same.
Reply
  • Offline ozornick
    Super Moderator
  • ******
  • Posts: 316
    Threads: 20
    Joined: Jul 2022
    Reputation: 16
#2
10-06-2023, 10:01 AM

It's safer, but it's bad if the IP is dynamic (for example, a mobile operator).
Reply
  • Offline InsiteFX
    Super Moderator
  • ******
  • Posts: 6,334
    Threads: 291
    Joined: Oct 2014
    Reputation: 235
#3
10-06-2023, 09:57 PM

Behind a Proxy Server.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
  • Offline luckmoshy
    Do Codeigniter before do you!
  • ****
  • Posts: 250
    Threads: 51
    Joined: Nov 2020
    Reputation: 7
#4
10-06-2023, 11:31 PM
(This post was last modified: 10-06-2023, 11:36 PM by luckmoshy.)

Yes, it may be out of prox or set time session generation here is where also I hijack your system if no one cares enough

Code:
session.driver = 'CodeIgniter\Session\Handlers\FileHandler'
  session.cookieName = 'ci_session'
  session.expiration = 7200
  session.savePath = writable/session
  session.matchIP = true
  session.timeToUpdate = 300 to /*1*/ look here
  session.regenerateDestroy = true


PHP Code:
public bool $matchIP false;

    /**
    * --------------------------------------------------------------------------
    * Session Time to Update
    * --------------------------------------------------------------------------
    *
    * How many seconds between CI regenerating the session ID.
    */
    public int $timeToUpdate 300/* to 1*/ look here

 /**
     * --------------------------------------------------------------------------
     * Session Regenerate Destroy
     * --------------------------------------------------------------------------
     *
     * Whether to destroy session data associated with the old session ID
     * when auto-regenerating the session ID. When set to FALSE, the data
     * will be later deleted by the garbage collector.
     */
    public bool $regenerateDestroy true
Codeigniter First, Codeigniter Then You!!
yekrinaDigitals

Reply
  • Offline LuxesR
    Junior Member
  • **
  • Posts: 18
    Threads: 6
    Joined: Jun 2021
    Reputation: 0
#5
10-11-2023, 05:54 AM

Thank you for your responses. I also did what luckmoshy said, but kept timeToUpdate at 100.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB