I have a question about ci_session. We build our own login system with a session. We found out that if you copy and paste the ci_session and put it in an other browser, the user is logged in without seeing the login screen. I keep stuff as default as possible in CodeIgniter 4. But changed $sessionMatchIP to true in app/Config/App.php:
PHP Code:
public $sessionMatchIP = true;
My question is, is there a downside of having this setting on true? It feels much safer. Are there more settings to change to prevent session hijacking?
Thanks in advance.
I found out that the location of this setting has been changed since v4.4.0, but the question remains the same.