Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion CI security
CI security
  • El Forum
    Guest
  •  
#1
06-06-2010, 01:57 PM

[eluser]Songoko20000[/eluser]
Hi guys Smile
I have been asked to develop a website and um using codeigniter but I was asked to account for certain security issues ex:
 Session fixation
 Session hijacking
 Spoofed form submissions
 Spoofed HTTP requests
 Cross-Site scripting (XSS)
 Cross-Site request forgeries (CSRF)
 Exposed access credentials
 SQL injection

I think I read in CI user guide that it has built in filtration for "Cross-Site scripting (XSS)" using the $config['global_xss_filtering'] in the config file.

but what about the other threats ? are they supported also or what ? is there libraries i can download for CI to support them ?

Thanx in advance
  • El Forum
    Guest
  •  
#2
06-06-2010, 02:15 PM

[eluser]richzilla[/eluser]
A good intro to CI security:

http://ellislab.com/forums/viewthread/125687/
  • El Forum
    Guest
  •  
#3
06-06-2010, 02:34 PM

[eluser]Songoko20000[/eluser]
Thanks for the post Smile It's a good intro indeed !
But it only stated that SQL injection and XSS are supported in CI.
What about the rest ?
  • El Forum
    Guest
  •  
#4
06-06-2010, 05:21 PM

[eluser]richzilla[/eluser]
Session Fixation / Hijacking, Exposed acces credentials - Use the standard php session library, which is server based and therefore cannot be accessed. The other options include hashing the session in the cookie (there is a function to so this: http://ellislab.com/codeigniter/user-gui...sions.html. Storing sessions in the database is another layer of security

CSRF / Spoofed form submissions - CSRF is like XSS but the other way round. The best way to protect from this is to insert a known key into any POST submissions. This key is unique to each user, and can be cross checked with their credentials in the DB.

The biggest security tip however is to validate absolutely anything the user has access to, this inlcudes things that arent immediately obvious. I once had a problem on a blog where i didnt validate the post id in the url, so the link read:

Code:
blog/post/view/92

Any user could have replaced the 92 with anything they liked. It didnt occur to me immediately as the user has no direct interaction with it (they click on a link to view a post).

EDIT: One more thing, im sure its mentioned in the post i linked to earlier, but only the active record functions automatically escape database queries, so if your inputting raw sql, youll have to do all the escaping yourself.
  • El Forum
    Guest
  •  
#5
06-07-2010, 03:18 AM

[eluser]Songoko20000[/eluser]
ok one more question:
I read the "Saving Session Data to a Database" in the session page in the user guide.

What I understood is by creating the "ci_session" table in the database and updating the config.php file sessions will be stored in the table automatically.

So if a user logs in a new session is created, it's then inserted in the database automatically. If he navigates to any other page his session id is compared automatically to the one in the database and if correct he is granted permission and his session in the table gets updated.
if it's different he is denied and his session is destroyed and removed from the database automatically also.

Is that correct ? everything is done automatically or do I need to write a code to do a certain task ?
  • El Forum
    Guest
  •  
#6
06-07-2010, 03:31 AM

[eluser]richzilla[/eluser]
Correct, the storing of the session is done automatically, so all you need to do, is write a function that checks for the presence of the session id in the database, and you know its a session thats been created by your server rather than created artificially.
  • El Forum
    Guest
  •  
#7
06-07-2010, 03:43 AM

[eluser]n0xie[/eluser]
[quote author="Songoko20000" date="1275872261"]
but what about the other threats ? are they supported also or what ? is there libraries i can download for CI to support them ?[/quote]
There are no silver bullets when it comes to most of these security threats. There is just good practice and defensive coding. You need to familiarise yourself with what the terms mean and how you should try to avoid/deal with them. It's not some magical 'switch' you can turn on or off.
  • El Forum
    Guest
  •  
#8
06-23-2010, 08:48 AM

[eluser]mzuser[/eluser]
[quote author="ricardino" date="1275921088"]Correct, the storing of the session is done automatically, so all you need to do, is write a function that checks for the presence of the session id in the database, and you know its a session thats been created by your server rather than created artificially.[/quote]


When checking the session ID is it worth while to check the other info like IP and User Agent data as well? Or can this cause issues if they log in from another computer?
  • El Forum
    Guest
  •  
#9
06-23-2010, 02:07 PM

[eluser]WanWizard[/eluser]
These additional checks are done automatically by the Session library, unless you disable this in the config.

A session is identified by the session cookie which is stored locally. So multiple sessions from different PC's (or different browers on the same PC) have different cookies, and are therefore considered different sessions.




Theme © iAndrew 2016 - Forum software by © MyBB