• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to fix session management issues found on a security audit

#1
I'm being audited for security, and received a report listing required fixes for my web application, regarding session management.

Theses are the things I'm required to change:
1. Create idle-timeout mechanism to end the session after 60 minutes of inactivity
- Easy enough. Under config.php I set $config['sess_expiration'] = 3600;

2. Set up a session timeout mechanism to end the session after a long time of activity, say 10 hours. This is to block scripts from using the application.
-This one is trickier. I couldn't find a config setting in CI to achieve this. Is there? If not - how would you recommend I implement this?

3. Session must be destroyed on application errors, so that on system crash, there will be no open session which another user can log on to.
- Huh? I'm not even sure what they mean by this... Huh  Any pointers would be highly appreciated.
How does CI handle sessions when an error has occurred?

I'm using CI 3.1.8, and this is the current session config I use:

PHP Code:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'cisession';
$config['sess_expiration'] = 3600;
$config['sess_save_path'] = BASEPATH '/cache/';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE

Thanks!

einav
Reply

#2
If you set an option in your sessions to define the session initial start, and extend the gc function of your intended session driver, you could add code to check how long since the session was initially created ( active or not ) and destroy anything over a set time period.

For destroying a session on application error, you'll need to catch the errors using try, catch routines and destroy the session whenever an error occurs. See https://www.php.net/manual/en/language.exceptions.php
Reply

#3
2. Set up a session timeout mechanism to end the session after a long time of activity, say 10 hours. This is to block scripts from using the application.

-This one is trickier. I couldn't find a config setting in CI to achieve this. Is there? If not - how would you recommend I implement this?

You would need to do this using JavaScript.

Here is a link to a script that you should be able to modify to do what you need.

Session Timeout Warning With Countdown Using PHP, jQuery And HTML
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.