ci_session also needs SECURE flags. Is this possible in codeigniter ?
Any help regrading this . Please update.
It is possible. Sessions will apply certain cookie related variables found in application/config/config.php which includes $config['cookie_secure']. Setting this to TRUE will set the SECURE flag on session cookies.
CSRF cookies will use $config['sess_expiration'] which if set to 0 (zero) means the cookies will remain set until the browser is closed.
Related
I am developing a site in Drupal 7. I am doing the security audit for the same. in a security audit, I am getting the issue for Persistent Cookie. when I check the cookies for my site. there is one cookie name "text size" which is persistent. but I want session cookie only. how do I achieve this please help?
Thanks in advance.
Screen shot of cookie view
You can unset the cookie in your module hooks e.g hook_boot or hook_init in your custom module.
There you can just write:
setcookie("text size", "{yourValue}", 1);
For more information refer below:
how to unset cookie in PHP?
http://php.net/manual/en/function.setcookie.php
After 3 day's research on it and the help of the Answer provided by Mr. Vishwanath Polaki. Finlay I have reached at objective.
i have edited textsize.module file.
setcookie("textsize", $textsize_normal, time()+$textsize_cookie_expires, $textsize_cookie_domain, "");
in the above statement i only update the time()+$textsize_cookie_expires with value 0.
Before change the cookie cookie-screen-before-updation
After change the cookie cookie-screen-after-updation
expiration of the cookie is change from specific time to At end of session
I'm using Ajax to log in a user from subdomain. The Yii2 app is on another subdomain. Both subdomains are configured to use same cookie and session domains and save paths. I'm including session ID with Ajax call to write the user information to the same session used by non-app subdomain like this:
$session = Yii::$app->session;
$session->open();
$session->setId($post["session"]);
$session["user.id"] = $user->id;
echo $session->id; // This does not return the same ID originating from post!
Unfortunately the user information IS NOT written to the session already existing, but a new one. Is there a session involved somewhere in the middle of login process or why isn't it working? I've also tried session_id($post["session"]), but nothing.
This was actually working on previous domain, so I must be missing something. All of the AJAX posted info is correct and checked, the user is logged in properly (checked the logs) but into wrong session.
Thanks in advance!
yii\web\Session::setId() is a wrapper for session_id(), you should read PHP documentation about this function :
string session_id([ string $id ])
If id is specified, it will replace the current session id. session_id() needs to be called before session_start() for that purpose.
So you should simply try :
$session = Yii::$app->session;
$session->setId($customId);
$session->open();
I Don't think you are following the correct way to SET & GET session.
Try This:
$session = Yii::$app->session;
$session->open();
$session->set('id', $post["session"]);
echo $session->get('id');
For more info, please click Session Management - Yii2
Using latest version of cakephp v2.3.3
I have a problem with my session variables when a browser doesn't allow cookies.
I pass variables from one controller to the other and this works perfect as long as the browser has cookies enabled. I have tried it with the Session helper in the controllers, but no effort, same problem.
How to fix this, is there a work around???
Cookies are required to keep track of the session ID, but you can manually get or set the session ID using $this->Session->id(). By adding the code below to the App Controllers' before filter you can set the session ID as a URL paramter like http://example.com/posts/view/1?session=qkv108c2pqeubcpeos1q7ekds3, for example.
if (!empty($this->request->query['session'])) {
$this->Session->id($this->request->query['session']);
}
The session ID is required for every request which means you have to include it in every link. I would suggest extending the HTML helpers' url and link methods to automatically add it.
Edit:
You should verify that $this->Session->read('Config.userAgent'); or $this->request->clientIp(); has not changed since the user was authenticated to prevent session hijacking. Thanks to thaJeztah for pointing this out.
Because of european privacy law being harsly applied in the Netherlands and to keep my company's site user friendly without nagging the users with questions if it's okay to store a cookie on their computer that allows me to access their client data.
What I need is a way to "overwrite" the native php sessions class so that at the point where the native class requests the cookie that stores the phpsessid, that I can place my own code there that checks the browsers fingerprint and matches that to a session id which I can use to return the normal working of the native class.
My idea is:
table sess_fingerprints
Fields: fingerprint - phpsessid
function getsessionid()
{
$result = $this->db->query("SELECT phpsessid
FROM `sessiondatabase`.`sess_fingerprints`
WHERE `sess_fingerprints`.`fingerprint` = '$userfingerprint'");
if($result->num_rows() != 0)
{
return $result->row->phpsessid;
}
}
and at that point the native php session code just works as it would normally do.
So, my question is: is it possible to overwrite only the "cookie" part of the phpsession class? if so, how? because I haven't found that yet.
I'm aware of being able to pass along the session variable via urls etc, but that's not secure enough for my web applications.
PHP provides support for custom session handlers:
http://php.net/manual/en/session.customhandler.php
I think I have found the solution to my problem.
I'm going to override the functions related to cookies by using http://php.net/manual/en/function.override-function.php
Thank you all for thinking along.
I'm using Connect.js and the connect-session module for managing session cookies. I noticed that Connect sets a session cookie on all routes except static files. The problem is that I process some static files like JS and CSS files before I send them so I can't use Connect's built-in static server, which means that connect-session sets a session cookie for these files. Since these files will be included on external sites, I don't want them to send cookies with them.
Is it possible to set session cookies only for specific routes?
if you are using express,you can put app.use(express.static(path.join(__dirname, 'public'))); before app.use(express.session());.
Alright I found my answer here: http://senchalabs.github.com/connect/middleware-session.html
You can ignore routes by using connect.session.ignore like so: connect.session.ignore.push('/robots.txt');