Session Fixation

[adon90]

Hello, could you explain a real attack scenario about the vulnerability you fixed in this commit?

800a20d

Regards, adon90

[adon90]

Could you tell if the ci_session cookie nowadays is not a md5? It seems it is not, since it uses session_id()

Can you tell me the last commit a md5 for the cookie is used? Trust me, it is not easy to find it.... thanks!

[narfbg]

I have no idea what you're talking about mate ... The commit you linked to fixes a syntax error and we haven't used md5 hashes for session IDs since CI2.

[adon90]

Hello, I am talking about this CVE https://nvd.nist.gov/vuln/detail/CVE-2018-12071 present in codeigniter before version 3.1.8.
I would like to know how this can be exploited for previous versions.
Regards, adon90

[sapics]

From your link, session.use_strict_mode was mishandled before 3.1.9.

A Session Fixation issue exists in CodeIgniter before 3.1.9
because session.use_strict_mode in the Session Library was mishandled.

You can find the detail of session.use_strict_mode from https://wiki.php.net/rfc/strict_sessions.

[rajat315315]

Is somebody monitoring issues like this. I guess this needs closure.

[mckaygerhard]

i guess still this have a bug.. seems validating session IDs are not working property.. respect cookies, stil when i made a redirect my session get empty and gone!