How To Fix CodeIgniter Session Fixation & Hijacking Attack

Reading Time: 11 minutes

Inside this article we will see the concept of solving this major issue over any CodeIgniter application built in any version i.e Session Fixation Session Hijacking Attack in CodeIgniter.

Web application threats that include unauthorised access to user sessions are known as session fixation and hijacking.

This tutorial guides you the complete basics to secure your web applications i.e How To Fix CodeIgniter Session Fixation & Hijacking Attack.

Learn More –

Let’s get started.

What is Session Fixation Session Hijacking attack?

CodeIgniter is an open source provided PHP framework. Many of the web applications are running nowadays over this technology over the globe.

When any CodeIgniter application runs of any version like it will be of v3.x or v4.x at Chrome browser (you can choose any browser). A key ci_session is stored in Application Tab of Developer Console Tab of browser(in Chrome). It is session value but stored in Cookies tab. This value is auto generated a encrypted key of CodeIgniter Application, which contains user details if he/she authenticated into application.

If you change this key name ci_session via application configuration then this cookie variable will have different name.

This session or cookie can be reused anywhere into the same system or different system of same network during the login phase. Reused in the sense a unauthenticated user can use a protected application even not going through login step.

Let’s see How it is possible?

Why any Application have Session related issues?

Web application have the key parameters to maintain user state is by either session and/or cookie for each request-response between. If this value will not be updated or removed from its previous state then it can happily used same application into different network.

Let’s do a test of CodeIgniter v3.x application.

How we check Session Hijack and Session Fixation?

As we discussed, CodeIgniter application stores a key with the name of ci_session in Cookies of developer console tab. So let’s practically by taking an application to understand.

I am opening a web portal created in CodeIgniter v3.x into Chrome browser.

Step 1

Opening application into chrome, have a look this image.

Inside this image we have pointed address bar URL of application which is for now a login URL, login layout & Application tab at developers console. We can get developers console by right click into the web page. Every codeigniter application injects a session id value.

Let’s pass correct details of admin.

Step 2

We are now on admin dashboard.

Copy & Paste dashboard URL somewhere into the Notepad from address bar. Keep in mind this dashboard route is protected. We can’t open this URL directly into browser without login. We need a valid login details to get that.

Next, what we have to do?

Go to developers console Copy & Paste ci_session value which is something ql1… in my case. In your case this key may be different. Keep this application live into chrome browser.

Step 3

Open any other available browser at your system. I am opening Firefox. At this browser same application needs to open –

Again this application generated a new session key as we can see inside developers tab. Next, you need to replace this key with your copied session_key from previous browser. Done that, simply double click on value section and paste your copied key.

Put your copied dashboard URL into this address bar URL. Means you are going to change from Login Url to Dashboard Url.

As you can see, I have done the same.

Step 4

Now reload the page with after doing these settings. You can see we have the same dashboard which we have opened at chrome browser after passing admin details.

But the same dashboard we an access into different browser with the same session key without even passing any login details to form.

This is complete demonstration of Session Hijack and/or Session Fixation. Session fixation simply means session value has been fixed. So we need to regenerate after a specific time period, so that it will not used again.

By default in codeigniter session key updates in 300 seconds. We can change it to 1 second including other settings as well. We will see in few seconds.

If your application doesn’t acting like this it means all okay, no need to worry.

Let’s get started for the solution.

How to Fix this?

As we have seen & get idea about session issue. To fix this issue, very few simple settings we need to do in application configuration.

Let’s do settings according to CodeIgniter’s version –

CodeIgniter v3.x

Open /application/config/config.php, we need to update some settings of session values as well as some cookie values.

Session Settings –

Initially you will get these

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

Updated to these settings –

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = TRUE;
$config['sess_time_to_update'] = 1;
$config['sess_regenerate_destroy'] = TRUE;

If your application is running at https://

Cookie Initial Settings –

$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;

Updated to these –

$config['cookie_secure'] = TRUE;
$config['cookie_httponly'] = FALSE;

These are the things we have set to CodeIgniter v3.x for session attack.

CodeIgniter v4.x

For application configuration file. We have two options either we need to work on .env file or need to work on App.php file. Means we can do application configuration in any of these files.

For .env, need to go to project root .env. Initially that file will be without dot (env). First you need to rename it as .env.

Inside this file you will find the settings of session + cookie. Only we need to update those.

Session Settings :

Initially it will be –

# app.sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'
# app.sessionCookieName = 'ci_session'
# app.sessionSavePath = NULL
# app.sessionMatchIP = false
# app.sessionTimeToUpdate = 300
# app.sessionRegenerateDestroy = false

Updated to these –

app.sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'
app.sessionCookieName = 'ci_session'
app.sessionSavePath = NULL
app.sessionMatchIP = true
app.sessionTimeToUpdate = 1
app.sessionRegenerateDestroy = true

Cookie Settings


# app.cookieSecure = false
# app.cookieHTTPOnly = false

Updated to these

app.cookieSecure = true
app.cookieHTTPOnly = false

For App.php, need to go to – /app/Config folder.

Inside this class you will find the settings of session + cookie. Only we need to update those.

Session Settings :

Initially it will be –

public $sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler';
public $sessionCookieName = 'ci_session';
public $sessionExpiration = 7200;
public $sessionSavePath = WRITEPATH . 'session';
public $sessionMatchIP = false;
public $sessionTimeToUpdate = 300;
public $sessionRegenerateDestroy = false;

Updated to these –

public $sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler';
public $sessionCookieName = 'ci_session';
public $sessionExpiration = 7200;
public $sessionSavePath = WRITEPATH . 'session';
public $sessionMatchIP = true;
public $sessionTimeToUpdate = 1;
public $sessionRegenerateDestroy = true;

Cookie Settings


public $cookieSecure = false;
public $cookieHTTPOnly = false;

Updated to these

public $cookieSecure = true;
public $cookieHTTPOnly = false;

All Done !

We hope this article helped you to learn about How To Fix CodeIgniter Session Fixation & Hijacking Attack in a very detailed way.

Online Web Tutor invites you to try Skillshike! Learn CakePHP, Laravel, CodeIgniter, Node Js, MySQL, Authentication, RESTful Web Services, etc into a depth level. Master the Coding Skills to Become an Expert in PHP Web Development. So, Search your favourite course and enroll now.

If you liked this article, then please subscribe to our YouTube Channel for PHP & it’s framework, WordPress, Node Js video tutorials. You can also find us on Twitter and Facebook.

Sanjay KumarHello friends, I am Sanjay Kumar a Web Developer by profession. Additionally I'm also a Blogger, Youtuber by Passion. I founded Online Web Tutor and Skillshike platforms. By using these platforms I am sharing the valuable knowledge of Programming, Tips and Tricks, Programming Standards and more what I have with you all. Read more