Storing session information in permanent cookie

Hello,

I am developing an application using CodeIgniter 3.1.4. Below is my session configuration:

Code:

$config['sess_cookie_name']        = 'cisession';
$config['sess_expiration']        = 1200;
$config['sess_use_database']            = TRUE;
$config['sess_table_name']        = 'session';
$config['sess_match_ip']        = TRUE;
$config['sess_time_to_update']            = 300;

During security audit, one issue is flagged as The web application stores sensitive session information in a permanent cookie (on disk). I am advised to use non-permanent cookies (RAM cookies). Please advise as how to achieve it.

Regards,

Persistent, not permanent. But if there's any security issue with that, it's the "stores sensitive session information" part.

Also, the configuration you're showing is a CI2 one.

Persistent, not permanent. But if there's any security issue with that, it's the "stores sensitive session information" part.

Also, the configuration you're showing is a CI2 one.

Yeah Narf. Actually I upgraded from CI2 to CI3 but somehow missed to change the config file. But I had changed the columns in session table as CI3. Thanks for pointing it out.

Now, I thought storing the session in database will help increasing the application security. How do I achieve RAM cookies as suggested by audit?

Now, I thought storing the session in database will help increasing the application security.

Only on a shared hosting environment, where other clients of the hosting company may have access to your session files. But that has literally nothing to do with the cookies.

How do I achieve RAM cookies as suggested by audit?

You don't have to do this. In fact, I strongly advise that you ignore this suggestion. There are of course valid reasons choose "RAM cookies" over persistent ones, but neither choice is inherently more secure or insecure.
And in your partciular case, this suggestion only shows that your auditors are being rather incompetent.

A "RAM cookie" is a cookie with no expiry time, that gets erased when the browser is closed. Why this is being suggested to you, is that such temporary cookies are harder to steal, for a number of reasons, but most importantly because this implies the cookie will have a shorter litetime, and therefore a shorter time window for any attacker to act on it.

But here's the thing - you've set your cookie expiry time at 1200 seconds already, and you should ask yourself this: when is the last time you had a browser window open for less than 20 minutes? Mine stays open for weeks.

Hence, choosing a "RAM cookie" over one with a 20-minute expiry time makes zero sense.

Could I chime in and mention that persistent cookies are perhaps more insecure on shared computers.  i.e. you use a computer in the library, and afterwards your persistent cookie will remain on that computer, versus a session cookie which would be removed when the browser is closed down or the computer shut down.

If you forgot to logout of a website on a shared computer, potentially with a persistent cookie you would still remain permanently logged in when the next person uses the computer, unless the site in question queries last activity time and auto logs you out. Yes, this could still apply to session cookies if the browser isn't closed down, but by their very nature there's more scope for a session cookie to be destroyed fairly quickly (session timeout, browser closed down, computer shut down, etc) than there is a persistent cookie.

Did you read my post before chiming in?

It's not all black and white.

I did, but I wanted to point out to the OP the scenario of shared computers, since people often only think about a single user sitting at a single computer. Someone using a shared computer for 5 minutes is likely to be better protected with a session cookie, compared to a persistent cookie (albeit with an expiry time of 20 minutes).

I realise it's not black and white, I am just pointing out a scenario that the OP might not have thought about.

I did, but I wanted to point out to the OP the scenario of shared computers, since people often only think about a single user sitting at a single computer. Someone using a shared computer for 5 minutes is likely to be better protected with a session cookie, compared to a persistent cookie (albeit with an expiry time of 20 minutes).

I realise it's not black and white, I am just pointing out a scenario that the OP might not have thought about.

So, whats your point? What if someone is using a public computer but does not close the browser? You have the same result as using a persistent cookie. Atleast with the persistent cookie of 20 minutes it is invalid after that time. The session cookie remains valid as long as the browser remains open. So how is that better?

No, the session would remain until the session expires, not indefinitely just because the browser is left open. You could set session expiry time to 20 minutes too if you wanted to. I am talking about the "session" in PHP rather than the cookie itself.

Taken from the PHP manual
http://php.net/manual/en/function.setcookie.php

expire

The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+60*60*24*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).

A non-persistent cookie remains valid for as long as the browser remains open.

Without a cookie there is no way to match it to the session on the server.
And you wouldn't use the PHP session cookie for an authentication now would you?