Thread

Around 31:15 of this video: codeigniter security tutorial, the guy changes the user_id session value to the admin user id and gains full access. I’m not sure what he did to change the session value.

If I change my cookie values using a developer tool, would Codeigniter simply read the cookie values and change the corresponding session value?

CI can encrypt the cookie payload by setting $this->session->sess_encrypt_cookie to TRUE (or in the config).

Unfortunately, up until the latest release (2.1.0), the default is FALSE, which will open your app for this vulnerability.

imho opinion it should be TRUE by default to avoid beginners making errors like this, if you insist on using cookie-only sessions (which ideally you should avoid, don’t send session data to the client).

If I use the native PHP session method using session_start() and the $_SESSION array do I avoid the problem of clients editing the cookie file to change session values (other than the session id)?

No.

Native sessions are inheritly insecure, and even more so on a lot of shared hosts. CI doesn’t come with it’s own session library for nothing. 😉

CI’s session library is secure, but unfortunately the defaults are not the best they could have picked. So in your application/config/config.php:

$config['sess_cookie_name']  = 'cisession'; // get rid of the underscore, IE doesn't like it
$config['sess_encrypt_cookie'] = TRUE; // do encrypt the cookie
$config['sess_use_database'] = TRUE; // store session data in the database, not in the cookie
$config['sess_match_ip']  = FALSE; // if you don't have users with alternating proxies, set this to TRUE too

and create the session database as documented in the user guide.

For the sake of learning, can you explain in detail why session data manipulation is possible without cookie encryption?

Because the raw data in plain text is in a cookie, on your computer, which you can edit.  Picture someone storing the user level that you can just change to “admin” or something by editing the cookie.

If you use the database, it stores the data in the database and only stores the session id in the cookie, so they can’t manipulate it.  And if the id is encrypted, it will be really hard for them to break figure it out.

Beyond that, cookies are limited to holding a total of 4k of data, which isn’t very much for apps that require larger session storage, which the database offers.

I tried changing the cookie value for my test website, but the corresponding session value was unset. For example, in the cookie, I changed “user_id” to 2, but the “user_id” value in the session array was unset. Without cookie encryption, there still seems be an md5 hash value associated with the cookie. So someone has to do more than just changing the cookie value to manipulate session array values?

CI sessions encrypts the session cookie!

Look at the ./system/libraries/Session.php file.

Can you please explain 31:15 of this video then: codeigniter security tutorial

It gets encrypted automatically if you use the database for session storage.  If you aren’t you need to manually turn encryption on for sessions (which should be the default setting, IMO).

Just use database sessions with encryption. It’s just a lot more secure because then all the user has access to is an encrypted session ID with no other data since that part is in the database, so they can’t manipulate it.

As I wrote, it only encrypts the cookie if sess_encrypt_cookie is set to TRUE. By default, this value is FALSE.

If the session cookie is not encrypted (due to the aformentioned flag), an MD5 hash is added to the cookie value, which is generated on the cookie contents + the encryption key set in the config.

So, with the current CI version you can’t tamper with the values unless you regenerate the MD5 hash. And you need the encryption key for that, which I hope is set in your app, and completely random.

If memory serves me right, the encryption key was introduced in CI 2.0, which means this tutorial is probably make using an older version, which didn’t have this extra security measure…

Still, although tampering might not be that easy now, the session data is still readable, which is something you should avoid. Never expose server data to the client.