Welcome Guest, Not a member yet? Register   Sign In
How safe is the CI native session?

[eluser]Stu Green[/eluser]
Excuse me for my naivety, but just found this article after getting someone posting

&lt; script &gt; alert ( document . cookie ) ; < / script >

in one of my applications.


Can anyone shed light on how secure the CI native session class is against stuff like this?

That has only a little to do with CI sessions because it's an XSS attack. Though CI sessions does provide security against the usefullness of such an attack when you switch on session encryption or use database sessions. In the first case it's only usefull when someone manages to break the encryption and in the second case one could only steal the session ID, which is useless if you have IP checking on for sessions.

But to protect against such an attack you should check user input that might be vulnerable for such an attack. The lazy solution is to switch on global XSS checking, but not if you're doing that in an CMS where the admins need to be able to use javascript in pages (as JS is removed by the XSS cleaning, and you can't turn it off when it's switched on globally).

The better sollution is to use XSS clean or set the second parameter of the post(/cookie) fetching to TRUE:
$var = $this->input->post( 'var', TRUE ); // second paramater forces XSS cleaning
$cookie = $this->input->cookie( 'var', TRUE ); // just like post

$value = $this->input->xss_clean( $value ); // CI 1.7.2 manual XSS cleaning
$value = $this->security->xss_clean( $value ); // CI 2.0 manual XSS cleaning

By default you can change a cookie on your harddrive, but CI has a toggle in the config to mirror all the sessions in the database that you absolutely must use if you plan to use the session to authorize people. It will destroy any session that gets tweaked with, cause it doesn't match the database.

The bit about SQL injections is kinda moot, CI handles that sorta thing quite well, xss-cleans, etc. the works.

EDIT: Looks like someone posted while typing. Smile

Theme © iAndrew 2016 - Forum software by © MyBB