| What libraries/plugin/helpers that you always use for your application? |
[eluser]indocoder[/eluser]
What libraries/plugin/helpers that you always use for your application? Dont count for the default lib/plug/help that CI already provide..
[eluser]eedfwChris[/eluser]
Proposed view library by Coolfactor: http://ellislab.com/forums/viewthread/49910/ Cache library by Al James: http://ellislab.com/forums/viewthread/57117/ CI Session library (SVN) or DB Session: http://dev.ellislab.com/svn/CodeIgniter/...ession.php http://codeigniter.com/wiki/DB_Session/ Although neither address session fixation...
[eluser]xwero[/eluser]
Native session is the only constant when i start a new site. edit : i changed the methods userdata and set_userdata to item and set_item to have to remember less method names, pseudo namespaces are fun 
[eluser]Michael Wales[/eluser]
Libraries: MY_Validation which includes the set_fields() method from tilzinger CI SVN Session Library ErkanaAuth Helpers: xHTML Helper - although that version has bugs An Asset Helper I wrote for myself but is somewhat similar to thepyromaniac's
[eluser]Derek Allard[/eluser]
[quote author="webPragmatist" date="1196241602"] CI Session library (SVN): http://dev.ellislab.com/svn/CodeIgniter/...ession.php Although neither address session fixation...[/quote] Could you elaborate what you mean here? While nothing provides perfect security, the session lib you're discussing does have safeguards against session fixation.
[eluser]eedfwChris[/eluser]
[quote author="Derek Allard" date="1196282996"][quote author="webPragmatist" date="1196241602"] CI Session library (SVN): http://dev.ellislab.com/svn/CodeIgniter/...ession.php Although neither address session fixation...[/quote] Could you elaborate what you mean here? While nothing provides perfect security, the session lib you're discussing does have safeguards against session fixation.[/quote] Hi Derek, As far as I am aware the Session library I am using does not store the actual AGE of the session in order to regenerate a Session ID nor "roll" the Session ID as a user browses the page. Either of these methods would help protect against a Session ID having too long of a lifetime thus allowing a potential "predator" to fixate on a specific Session ID in order to gain access. This is just one of many methods that could be employed to further enhance session security. A good example of changing Session IDs to prevent Session fixation is used in this Native Session library written by tomcode http://codeigniter.com/wiki/Native_session/, though I don't use it because it does not support DB data storage.
[eluser]Derek Allard[/eluser]
Could I ask that you take another look through the SVN session class please? I believe it does everything you suggest. sess_update() generates a new session id, and is configurable so that you could literally change it every 1 second if you'd like. Additionally, you can use IP address and user agent checks. I'm not denying that these couldn't be spoofed, but as you say, they are further methods that can be employed to enhance the session security. I'm afraid I'm just not following your concerns here.
[eluser]eedfwChris[/eluser]
[quote author="Derek Allard" date="1196311794"]Could I ask that you take another look through the SVN session class please? I believe it does everything you suggest. sess_update() generates a new session id, and is configurable so that you could literally change it every 1 second if you'd like. Additionally, you can use IP address and user agent checks. I'm not denying that these couldn't be spoofed, but as you say, they are further methods that can be employed to enhance the session security. I'm afraid I'm just not following your concerns here.[/quote] Ah, ok great! I was not aware of this function. The only concern now is storing a created_time for a session in order to tell the actual life of a session (as aposed to just how long since the user's last activity). This is easily implemented outside of the library but it would be nice to have the session library work that out for you automatically.
[eluser]Derek Allard[/eluser]
@indocoder and all, I'm very sorry for thread-jacking. Since I am the author of the rewritten session in question, I wanted to be sure I wasn't missing anything. @webPragmatist: It does. When the session is created it creates a gmt timestamp. The session class already takes care of ensuring the timestamp is valid, comparing it against the set times, and garbage collection. In short, I think it does everything you've raised here. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
