Why does Codeigniter do this? I mean isn't it very insecure if users can see which data is stored in their session? And and what if they change a value in the cookie?
Well, it's data about the user. If they want to change it... so what? I don't see how it's "insecure".
You can encrypt session data, or use databases for session data integrity verification.
The documentation is your friend; use it.
For what it's worth, it does seem daft that native PHP sessions aren't used. The documentation claims that this offers "more flexibility" to developers, but given the caveats listed on that page, I can't imagine how.
Storing session in Cookie is a worst practice, every browser has a size limit for cookie and cookie is a thing which get send every time with your request, though it is simple ajax request, this practice will only make your requests slow, I think while developing session library for Codeigniter they might hove thought, that user's will only store small amount of data in session, but its simply stupid idea to store a session in Cookie
check this out: https://bitbucket.org/xperez/core-session-storage-for-codeigniter
its a wrapper for ci_session interface with native php sessions and thus works also with memcached and not DB.
Cheers
Well, Codeigniter's out of the box interpretation of sessions is different to that of PHP sessions. You can still use PHP sessions if you want via the $_SESSION super global, but Codeigniter basically treats sessions as more convenient cookies. Although, you can make your sessions store in a database which is what I do and will prevent a user from changing session values.
If you want semi-secure session variables, use the in-built PHP ones if you don't want the hassle of making Codeigniter store session values in a database encrypted.
Everything is explained in the detailed documentation: http://codeigniter.com/user_guide/libraries/sessions.html
Related
I'm building a Laravel 9 app that relies a lot on saved data for the user. Currently, I'm using Sessions only to retrieve this data from the user later on (anywhere from 1-600 minutes after the first visit).
Would it be wiser to use Session AND Cookies together, or would it be obsolete? I'm guessing if we lose the session data somehow, then we would use the cookie data as well? Obviously, first looking at the Session data, if it doesn't exist, then check the Cookie data.
Are there any other viable mechanisms to save user data and retrieve it at a slightly later time?
You can update 'lifetime' in config/session.php.
Have a look at this:
https://stackoverflow.com/a/26231287/9882603
As the manual says:
Note: The Session class does not utilize native PHP sessions. It
generates its own session data, offering more flexibility for
developers.
But when I store some data using $this->session->set_userdata(array('sample_key' => 'sample_value'));, in phpinfo() I can find sample_key and sample_value in that.
I hoped that the part
does not utilize native PHP sessions
to be meaning that it hides the session variables from phpinfo().
I'd always thought that it might be a security lack. Could it be?
As it seems, the values are urlencodeed.
CodeIgniter's "session" just stores the data in a cookie, and calls it a session. Native PHP sessions store the data on the server, and a "sessionID" in a cookie.
In phpinfo, you can see the variables, but it's your session, you can't see another user's session.
How can I increase the security of my sessions?
$this->session->userdata('userid')
I've been throwing this little bad boy around for my ajax calls. Some cases I haven't. Then I was like, is this really secure using id from the DOM? what if the DOM is changed to hack user accounts data? So then I was like I guess anytime a user is doing something relating to their id, only sessions should be referenced. Am I right?
Referenced like so:
$this->some_model->do_data_stuff($dataId, $this->session->userdata('userid'));
Then I read this:
While the session data array stored in the user's cookie contains a
Session ID, unless you store session data in a database there is no
way to validate it. For some applications that require little or no
security, session ID validation may not be needed, but if your
application requires security, validation is mandatory. Otherwise, an
old session could be restored by a user modifying their cookies.
http://codeigniter.com/user_guide/libraries/sessions.html
I'm not going to be storing financial data but I don't want any data on my site corrupted ever. Does SO use session validation? How much overhead will this validation cost? How would a session be hacked? What are some things to look out for with session security?
Using CodeIgniter sessions with database is going to be fairly secure. You just don't have to trust the input that the user gives. Even if you are using AJAX, the CodeIgniter session will work just like any standard call, so the same security goes on.
What happens with the CodeIgniter session is that the server stores the cookie, and every time the user does an action that would change the content of the cookie, it is first compared to the previous cookie.
If the user changes the content of the session cookie in the browser, CodeIgniter will notice on the next server call, and create a new session for the user, basically logging him out.
CodeIgniter doesn't really need the data stored in the cookie in the user's browser, and as long as you're using
$this->session->userdata('userid');
you're going to get trusted server-side data. The user can't change that. Furthermore, the cookie can be encrypted, and you should have it encrypted. Just look in config.php of CodeIgniter.
There are several other protections around the session data: the short refresh timeout (usually 300 seconds), it checks if the IP changed, and if the browser changed. In other words, in the worst case scenario, the only way to spoof the session data is by having the same version of the browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and getting this done within 5 minutes.
So, watch out for the guy sitting beside you!
I have a Symfony application which use a mysql database to store session data, and uses the SfGuard plugin to manage the authentication.
Despite that symfony allways save the authentication info in a cookie. Is there anyway i can disable cookies and store the authentication info in the database or in memory?
I might need in the future, to have a kind of single sign on feature, where the authentication state will persist between multiple applications, in different domains. Thats why I mostly want to eliminate the need to use cookies.
Thank you for your help.
You do not seem to understand how sessions work.
That cookie that gets sent to the cient is called the session id, and it's unique to the visitor. When he reqests a page from the server that cookie identifies the row in your session table where his data are - no data besides the ID is ever sent to the client.
Without that ID there's no way to pair a request to session data, that's why you could not log in anymore after disabling the cookies. The alternative to the cookie is to pass the session id some other way, like in the url - php can do that automatically, you just need to enable use_trans_sid in the php.ini.
Yes, you can store the authentication info in the database : See here how.
Which is the difference between sessions and cookies. I know that sessions are server side, and managed by the server, and the cookies are client side and managed by the browser.
I don't know why, but I see those things as rendundant. Which data have to be keept in a session variable and which on cookies?
Session is implemented with cookies. You would normally save in a cookie things like the user id, or some identifier that will allow you to know who the user is, and use that information as a key for your session variable on the server side.
Most importantly, you wouldn't want any secret information being stored on the client side, since cookies can easily be stolen (from a security point of view).
Don't forget that HTTP is stateless, so cookies are just a way to bypass this.
In short, cookies are more persistent than sessions. As soon as you close your browser, the session information is gone. Therefore a session has no way to store information about a website/user pair. Cookies do, and are used for things like allowing you to stay logged in to a website, or storing preferences for that website (e.g. language).
The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. This difference determines what each is best used for.
see http://php.about.com/od/learnphp/qt/session_cookie.htm
Cookies are for small data. They can only hold strings.
In session variables you're able to store objects in the server memory.