0

I've been wondering about the security aspect of my application. I'm using CodeIgniter PHP Framework for my project.

I'd like to know some "expert" opinions on this. I have a login function. When a user logged in, the session is store in database. I added information like user Id in the information session. A user can create a company. But to do that, I first check his account to see if he already has one. This session user Id allows me to run a DB request to find that out. For example :

function create(){
    $hasCompany = $this->Accountmodel->hasCompany($this->session->userdata('id'));
    if($hasCompany){
        $data['company'] = $this->Companymodel->getCompanyInfo($this->session->userdata('id');
        $this->load->view('company/panel', $data);
    }
    else{
        $this->load->view('company/create');
    }

}

And then if he has one, I can print the company edit/delete panel. It allows me to avoid the use of id parameters in the url like : myserver.com/company/edit/[id]

So to get to the point, I was wondering if, in term of security, this is ok or there is some kind of vulnerability.

Any advices are welcome !

CinetiK
  • 1,748
  • 2
  • 13
  • 19

2 Answers2

0

Session hijacking would be a threat, in below thread it has been explained how to avoid that.

What is the best way to prevent session hijacking?

Community
  • 1
  • 1
Shaolin
  • 2,541
  • 4
  • 30
  • 41
  • I'm not sure it is, the session cookie have no information about userdata I put. It just has a session id which is always checked. Codeigniter prevents that. [link](http://codeigniter.com/user_guide/libraries/sessions.html) 'CI Session' – CinetiK Oct 01 '12 at 11:28
0

If the session data is stored in the database and the session cookie is encrypted, using the data from the session is very secure.

The session cookie only holds the session ID, user agent and IP address. Moreover, the session expires every 5 minutes (by default), so in order to highjack the session someone needs to break the cookie encryption, set the IP and user-agent to the one stored in the cookie, and do all these in the 5 minutes window before the session ID will change.

This is (in my opinion) highly unlikely.

You may also want to enable the Cross Site Request Forgery (CSRF) option in your config file to increase your forms security (though nothing replaces proper user-data validation)

Silviu G
  • 1,241
  • 10
  • 31
  • Thanks a lot. I validate every user input heavily with the form_validation. What CSRF will do for me ? – CinetiK Oct 01 '12 at 11:38
  • If CSRF is enabled, the Security class will create a unique token for each form (you should use the `form_open()` function to create your forms with the required CSRF token included) and it will automatically check (at submission time) if the submitted token matches the one expected. This helps prevent CSRF form submissions (forms posted from other domain/page which may contain malicious fields/data/etc that). You can find some more technical details [in this blog post](http://www.beheist.com/index.php/en/blog/csrf-protection-in-codeigniter-2-0-a-closer-look) – Silviu G Oct 01 '12 at 11:57