are codeigniter sessions secure?

Question

I read about storing codeigniter sessions into a database. when I heard codeigniter sessions are saved into cookies and since my website is using sessions for authentication and set permissions, I got so worried so I designed code to check how cookies work:

session->set_userdata('username','administrator');
        $this->session->set_userdata('password','abcdef123456');
    }
}

/* End of file sess.php */
/* Location: ./application/controllers/sess.php */

This is the result cookie (ci_session):

a%3A7%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298867177e69b4d33059c7517782bdfc9%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22192.168.1.100%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28iPhone%3B+U%3B+CPU+iPhone+OS+3_0+like+Mac+OS+X%3B+en-us%29+AppleWebKit%2F528.18+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Mobil%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1373188924%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22username%22%3Bs%3A13%3A%22administrator%22%3Bs%3A8%3A%22password%22%3Bs%3A12%3A%22abcdef123456%22%3B%7D3ef00c243e040389e98ab204933d4c8c

containing raw data:

username%22%3Bs%3A13%3A%22 administrator %22%3Bs%3A8%3A%22password%22%3Bs%3A12%3A%22 abcdef123456 %22%3B%7D3ef00c243e040389e98ab204933d4c8c

I dont know how to change cookie in firefox, but if I do, would it cheat the server? how to prevent that? does saving sessions in database protect me from such frauds?

John Corry · Accepted Answer

Storing sensitive information in session data is probably not the best idea.
CI's session class has an encryption option, sess_encrypt_cookie, that will encrypt session data.
Yes, storing session data in the DB will provide another layer of security.

are codeigniter sessions secure?

Answers (1)

Related Questions