CodeIgniter Unsafe Session Configuration

ID

php.codeigniter_unsafe_session_configuration

Severity

high

Resource

Misconfiguration

Language

Php

Tags

CWE:1004, CWE:1275, CWE:315, CWE:539, CWE:614, NIST.SP.800-53, PCI-DSS:6.5.10, codeigniter

Description

This vulnerability occurs when sessions are configured insecurely, leading to potential session hijacking or fixation attacks. Improper session management can result in unauthorized access to sensitive information.

Rationale

Cookies are often used to store session identifiers and other sensitive information. Several potential vulnerabilities arise if cookies are not handled securely:

  • CWE-315: Cleartext Storage of Sensitive Information in a Cookie: Storing sensitive information in cookies without encryption can lead to unauthorized disclosure.

  • CWE-539: Use of Persistent Cookies Containing Sensitive Information: Persistent cookies that remain valid after a session can be exploited if not handled properly.

  • CWE-614: Sensitive Cookie in HTTPS Session without 'Secure' Attribute: Cookies without the Secure attribute can be transmitted over unencrypted connections, exposing them to interception.

  • CWE-1004: Sensitive Cookie without 'HttpOnly' Flag: Cookies accessible to client-side scripts can be stolen via cross-site scripting attacks.

  • CWE-1275: Sensitive Cookie with Improper 'SameSite' Attribute: The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: 'Lax', 'Strict', or 'None'. If the 'None' value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).

Here is a vulnerable code example for CodeIgniter:

<?php

class ExampleController extends CI_Controller {

    public function __construct() {
        parent::__construct();
        $this->load->library('config');

        $this->config->set_item('cookie_samesite', 'Lax');
        $this->config->set_item('cookie_secure', FALSE);
        $this->config->set_item('cookie_domain', '.myorg.com');
        $this->config->set_item('cookie_path', '/');
        $this->config->set_item('cookie_httponly', FALSE);
    }
}

In the code above, session cookies are not used properly.

Also, this is configurable in the application/config/config.php for CodeIgniter:

<?php
    defined('BASEPATH') OR exit('No direct script access allowed');

    $config['sess_expiration'] = 7200;
    $config['cookie_domain']	= '.myorg.com';
    $config['cookie_path']		= '/';
    $config['cookie_secure']	= false;
    $config['cookie_httponly'] 	= false;
    $config['cookie_samesite']	= 'Lax';

Remediation

To secure cookies in web applications, implement the following practices:

  1. Use the Secure Attribute: Always set the Secure attribute on cookies if your application supports HTTPS. This ensures cookies are only sent over secure channels.

  2. Set the HttpOnly Attribute: Apply the HttpOnly attribute to cookies that store sensitive data, preventing access from client-side scripts and mitigating XSS risks.

  3. Avoid Storing Sensitive Data in Cookies: Encrypt any sensitive data stored in cookies and, where possible, avoid storing information like passwords or sensitive session data directly.

  4. Manage Cookie Expirations Wisely: Use session cookies rather than persistent ones for sensitive information, ensuring they expire appropriately and reduce the risk of exploitation.

  5. Regularly Audit Cookie Usage: Review cookies in use on your website to ensure best practices are consistently applied.

The sanitized version of the previous example would look like this:

<?php

class ExampleController extends CI_Controller {

    public function __construct() {
        parent::__construct();
        $this->load->library('config');

        $this->config->set_item('cookie_samesite', 'Strict');
        $this->config->set_item('cookie_secure', true);
        $this->config->set_item('cookie_domain', 'www.myorg.com');
        $this->config->set_item('cookie_path', '/dashboard');
        $this->config->set_item('cookie_httponly', true);
    }
}

Configuration

The detector has the following configurable parameters:

  • checkPersistence, that indicates if the persistence of the cookie must be checked.

  • invalidDomainPattern, that indicates the pattern used to detect invalid domain names.

  • invalidPathPattern, that indicates the pattern used to detect invalid paths.

  • enforceHttpOnly, that indicates if the HttpOnly flag of the cookie must be checked.

  • enforceSecure, that indicates if the Secure flag of the cookie must be checked.

  • sameSiteValue, that indicates if the Secure flag of the cookie must be checked.

References

  • CWE-315 : Cleartext Storage of Sensitive Information in a Cookie.

  • CWE-539 : Use of Persistent Cookies Containing Sensitive Information.

  • CWE-614 : Insufficient Session Expiration.

  • CWE-1004 : Sensitive Cookie without 'HttpOnly' Flag.

  • CWE-1275 : Sensitive Cookie with Improper 'SameSite' Attribute.

  • OWASP - Top 10 2021 Category A05 : Security Misconfiguration.