How to Fix Session Fixation Session Hijacking Attack in CodeIgniter ?

Share this Article

Sessions & Cookies are possibly from two secure parameters. If they taken out from the application then it can be used at different browser of same system or different system of same network.

Securing Sessions and cookie values now very important for every application for user trust.

Inside this article we will see the concept of solving this major issue over any CodeIgniter application built in any version i.e Session Fixation Session Hijacking Attack in CodeIgniter.

Let’s get started.


What is Session Fixation Session Hijacking attack in CodeIgniter ?

CodeIgniter is an open source provided PHP framework. Many of the web applications are running nowadays over this technology over the globe.

When any CodeIgniter application runs of any version like it will be of v3.x or v4.x at Chrome browser (you can choose any browser). A key ci_session is stored in Application Tab of Developer Console Tab of browser(in Chrome). It is session value but stored in Cookies tab. This value is auto generated a encrypted key of CodeIgniter Application, which contains user details if he/she authenticated into application.

If you change this key name ci_session via application configuration then this cookie variable will have different name.

This session or cookie can be reused anywhere into the same system or different system of same network during the login phase. Reused in the sense a unauthenticated user can use a protected application even not going through login step.

Let’s see How it is possible ?


Why any Application have Session related issues ?

Web application have the key parameters to maintain user state is by either session and/or cookie for each request-response between. If this value will not be updated or removed from its previous state then it can happily used same application into different network.

Let’s do a test of CodeIgniter v3.x application.


How we check Session Hijack and Session Fixation ?

As we discussed, CodeIgniter application stores a key with the name of ci_session in Cookies of developer console tab. So let’s practically by taking an application to understand.

I am opening a web portal created in CodeIgniter v3.x into Chrome browser.

Step 1

Opening application into chrome, have a look this image.

Inside this image we have pointed address bar URL of application which is for now a login URL, login layout & Application tab at developers console. We can get developers console by right click into the web page. Every codeigniter application injects a session id value.

Let’s pass correct details of admin.

Step 2

We are now on admin dashboard.

Copy & Paste dashboard URL somewhere into the Notepad from address bar. Keep in mind this dashboard route is protected. We can’t open this URL directly into browser without login. We need a valid login details to get that.

Next, what we have to do ?

Go to developers console Copy & Paste ci_session value which is something ql1… in my case. In your case this key may be different. Keep this application live into chrome browser.

Step 3

Open any other available browser at your system. I am opening Firefox. At this browser same application needs to open –

Again this application generated a new session key as we can see inside developers tab. Next, you need to replace this key with your copied session_key from previous browser. Done that, simply double click on value section and paste your copied key.

Put your copied dashboard URL into this address bar URL. Means you are going to change from Login Url to Dashboard Url.

As you can see, I have done the same.

Step 4

Now reload the page with after doing these settings. You can see we have the same dashboard which we have opened at chrome browser after passing admin details.

But the same dashboard we an access into different browser with the same session key without even passing any login details to form.

This is complete demonstration of Session Hijack and/or Session Fixation. Session fixation simply means session value has been fixed. So we need to regenerate after a specific time period, so that it will not used again.

By default in codeigniter session key updates in 300 seconds. We can change it to 1 second including other settings as well. We will see in few seconds.

If your application doesn’t acting like this it means all okay, no need to worry.

Let’s get started for the solution.


How to Fix this ?

As we have seen & get idea about session issue. To fix this issue, very few simple settings we need to do in application configuration.

Let’s do settings according to CodeIgniter’s version –

CodeIgniter v3.x

Open /application/config/config.php, we need to update some settings of session values as well as some cookie values.

Session Settings –

Initially you will get these

$config[‘sess_driver’] = ‘files’;
$config[‘sess_cookie_name’] = ‘ci_session’;
$config[‘sess_expiration’] = 7200;
$config[‘sess_save_path’] = NULL;
$config[‘sess_match_ip’] = FALSE;
$config[‘sess_time_to_update’] = 300;
$config[‘sess_regenerate_destroy’] = FALSE;

Updated to these settings –

$config[‘sess_driver’] = ‘files’;
$config[‘sess_cookie_name’] = ‘ci_session’;
$config[‘sess_expiration’] = 7200;
$config[‘sess_save_path’] = NULL;
$config[‘sess_match_ip’] = TRUE;
$config[‘sess_time_to_update’] = 1;
$config[‘sess_regenerate_destroy’] = TRUE;

If your application is running at https://

Cookie Initial Settings –

$config[‘cookie_secure’] = FALSE;
$config[‘cookie_httponly’] = FALSE;

Updated to these –

$config[‘cookie_secure’] = TRUE;
$config[‘cookie_httponly’] = FALSE;

These are the things we have set to CodeIgniter v3.x for session attack.

CodeIgniter v4.x

For application configuration file. We have two options either we need to work on .env file or need to work on App.php file. Means we can do application configuration in any of these files.

For .env, need to go to project root .env. Initially that file will be without dot (env). First you need to rename it as .env.

Inside this file you will find the settings of session + cookie. Only we need to update those.

Session Settings :

Initially it will be –

# app.sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'
# app.sessionCookieName = 'ci_session'
# app.sessionSavePath = NULL
# app.sessionMatchIP = false
# app.sessionTimeToUpdate = 300
# app.sessionRegenerateDestroy = false

Updated to these –

app.sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'
app.sessionCookieName = 'ci_session'
app.sessionSavePath = NULL
app.sessionMatchIP = true
app.sessionTimeToUpdate = 1
app.sessionRegenerateDestroy = true
  

Cookie Settings

Initially

# app.cookieSecure = false
# app.cookieHTTPOnly = false

Updated to these

app.cookieSecure = true
app.cookieHTTPOnly = false
  

For App.php, need to go to – /app/Config/App.php.

Inside this class you will find the settings of session + cookie. Only we need to update those.

Session Settings :

Initially it will be –

public $sessionDriver = ‘CodeIgniter\Session\Handlers\FileHandler’;
public $sessionCookieName = ‘ci_session’;
public $sessionExpiration = 7200;
public $sessionSavePath = WRITEPATH . ‘session’;
public $sessionMatchIP = false;
public $sessionTimeToUpdate = 300;
public $sessionRegenerateDestroy = false;

Updated to these –

public $sessionDriver = ‘CodeIgniter\Session\Handlers\FileHandler’;
public $sessionCookieName = ‘ci_session’;
public $sessionExpiration = 7200;
public $sessionSavePath = WRITEPATH . ‘session’;
public $sessionMatchIP = true;
public $sessionTimeToUpdate = 1;
public $sessionRegenerateDestroy = true;

Cookie Settings

Initially

public $cookieSecure = false;
public $cookieHTTPOnly = false;

Updated to these

public $cookieSecure = true;
public $cookieHTTPOnly = false;

All Done !

We hope this article helped you to learn about Issue of session fixation and/or session hijack in a very detailed way.

If you liked this article, then please subscribe to our YouTube Channel for PHP & it’s framework, WordPress, Node Js video tutorials. You can also find us on Twitter and Facebook.

Find More on CodeIgniter 4 here

Leave a Comment