3

I know this is a duplicate question Codeigniter/PHP sessions security question but sorry to tell all measure recommended there failed in my case and that is the reason why I am repeating this question and that question asked in 2011 and now its answers will be outdated. So please don't duplicate it.

In my scenario I enabled $config['sess_driver'] = 'database'; and $config['sess_match_ip'] = TRUE; in config file.

I also put csrf token and XSS filtering in my authentication form and always use active records to prevent any sort of SQL injection. For extra security, i also implemented 2-factor authentication, Google ReCaptcha and ip blocking on the 10th attempt. Still, all the above measures can only prevent brute force attack in my case and not session hijacking.

If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.

I know using HTTPS can help as I can enable $config['cookie_secure']=TRUE; but I am not 100% sure about it as I can easily login to my twitter account my doing session hijacking and twitter use HTTPS.

I also tried my laravel app and its default middleware authentication system can be session hijacked.

So the basic problem is all my authentication work on the session and I don't know any other method to use authentication without using session.

If anybody has any idea of how to improve the security of my web application please help me.

Thanks in advance.

Community
  • 1
  • 1
Geordy James
  • 2,358
  • 3
  • 25
  • 34
  • Did you tried really? "If an attacker got ci_session value and my ip he can easily login in my website without any login credentials" – Giri Annamalai M Jan 31 '17 at 14:49
  • @blacmoon yes sir. But in my situation, I manually copy the ci_session cookie value in my laptop and paste it in the ci_session cookie in my desktop to bypass login. Both systems public ip same so ip blocking doesn't work. So if some malware gets ci_session cookie and ip address of system my application can be broken. – Geordy James Jan 31 '17 at 14:58
  • Try database option in session saving. may help. – Giri Annamalai M Mar 28 '17 at 13:16

2 Answers2

3

Preventing session fixation means to prevent the session ID from being stolen.

You've only failed if there is a way for it to be stolen. Worrying what happens after that is pointless.

If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.

Nobody can just change their IP address to yours ...

Narf
  • 14,600
  • 3
  • 37
  • 66
  • if an attacker connects to my home internet he gets same public IP. Now if somehow stole session cookie from my laptop he can just copy and paste it on his laptop to gain access to my software. The above is a scenario tested my me and it works even I enable $config['sess_match_ip'] = TRUE; . – Geordy James Feb 01 '17 at 16:04
2

You can save visitors info in the session, as OS platform and browser and compare it every page load.

CI have an User Agent Library that help with this.

Also create a cookie changing the value on every page load and save the old value in a session every page load. Compare each request. Compare all, including the old session id and the old custom key used with this cookie.

CI have an Cookie Helper that help with this.

Regenerate your session id in a small period.

If any compared data is incorrect you can log out the user. Destroy the session and remove the cookie. Show some alert about this issue if necessary.

This will prevent that someone hack you from your network getting your session id. And caution with social enginnering.

I was searching this same issue.

Natan Felles
  • 1,031
  • 1
  • 9
  • 14