8

I'm developing a web application using Codeigniter. When a user authenticates with my site I'm currently storing their 'user-identifier' in my session cookie (which I have enabled encryption on). Several of my model classes use the value in 'user-identifier' parameter of the session/cookie to make changes to properties of user accounts.

My concern is that I'm wondering if it's possible for someone to take a valid codeigniter-session cookie with a user-identifier that I've set, change the user-identifier's value to the value of a different user, and make changes to another user's account. Would codeigniter/php sessions create an error if someone attempted to change a property of a session cookie?

Casey Flynn
  • 13,654
  • 23
  • 103
  • 194

3 Answers3

21

Open your /application/config/config.php, locate "sess_use_database" and change it to "TRUE" if you haven't already. This way all session variables will be stored in a database table and session cookie will only contain session id string.

For added security, you can also change "sess_match_ip" to TRUE. This way if someone steals your user's cookie and tries to pass it as their own, session will be destroyed.

arnaslu
  • 1,044
  • 3
  • 11
  • 20
  • 3
    As of the latest CodeIgniter 3.0.1, the `sess_use_database` name has been replaced with `sess_driver` which can be set to `database`. The latest docs claim that the default `file` driver is the most safe choice: http://www.codeigniter.com/user_guide/libraries/sessions.html – Hamman Samuel May 21 '15 at 21:32
4

"if it's possible to take a valid codeigniter-session cookie change the user-identifier's value to the value of a different user, and make changes to another user's account."

My answer is not really CI related, so please bear that in mind.

When you auth the user "username1" what should be sent back to the client, for auth purposes, should be a hash that the server correlates to that user. All communication between the client and the server will rely on that hash.

The server will generate a unique hash per user and the hash should have a short time to live. Can someone capture a hash and pass as that user? Certainly. That's why you should also check for the user's Agent and IP to check if they match the hash in order to prevent session hijacking.

NEVER DO THIS:
If seen some new developers storing the username in a cookie and reliing on that client sent variable to update their databases. Never do this. Do not ever, ever trust the client. When the server gets the client's hash it should check if it belongs to an authenticated user and grab the user_id (variable to update the user data) from the server. NEVER from the client.

Frankie
  • 24,627
  • 10
  • 79
  • 121
3

I'm not sure what your "user identifier" is exactly. The general rule is, don't store anything in the session cookie but the session ID. Store everything else (like a user ID) internally on server side, and retrieve it using the session ID.

If the user changes the session ID (which is a random string), a new session will start. The idea behind the session ID is that it's impossible to guess other user's IDs - that's why it's random, and so long.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Do you happen to know if codeigniter's sessions class has functionality to do this? I agree that it's a good idea. For instance, if I do this: $this->sessions->set_userdata('id', 5); is this value passed back and forth in the cookie to the user or is just stored on the server and associated with a session id? – Casey Flynn Jun 11 '11 at 16:46
  • @Casey I'm not familiar with CI, but according to the [docs](http://codeigniter.com/user_guide/libraries/sessions.html), the data is indeed stored in the cookie. They show a secure database option though – Pekka Jun 11 '11 at 16:48
  • My 'user identifier' is basically the primary key of my user's table for each user. I'm using it in SQL queries to modify properties associated with each user. I'm aware this is probably terrible. – Casey Flynn Jun 11 '11 at 16:48
  • @Casey you definitely shouldn't have that in a cookie. Do store it on server side. (See the "Saving Session Data to a Database" chapter in the linked docs) – Pekka Jun 11 '11 at 16:49