Headline
CVE-2022-46170: Merge pull request from GHSA-6cq5-8cj7-g558 · codeigniter4/CodeIgniter4@f9fb657
CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.
@@ -358,8 +358,8 @@ same way: unusable during the same request after you destroy the session.
You may also use the ``stop()`` method to completely kill the session by removing the old session_id, destroying all data, and destroying the cookie that contained the session id: by removing the old session ID, destroying all data, and destroying the cookie that contained the session ID:
… literalinclude:: sessions/038.php
@@ -390,26 +390,35 @@ all of the options and their effects. You’ll find the following Session related preferences in your **app/Config/App.php** file:
============================== ============================================ ================================================= ============================================================================================ Preference Default Options Description ============================== ============================================ ================================================= ============================================================================================ **sessionDriver** CodeIgniter\\Session\\Handlers\\FileHandler CodeIgniter\\Session\\Handlers\\FileHandler The session storage driver to use. CodeIgniter\\Session\\Handlers\\DatabaseHandler CodeIgniter\\Session\\Handlers\\MemcachedHandler CodeIgniter\\Session\\Handlers\\RedisHandler CodeIgniter\\Session\\Handlers\\ArrayHandler **sessionCookieName** ci_session [A-Za-z\_-] characters only The name used for the session cookie. **sessionExpiration** 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 **sessionSavePath** null None Specifies the storage location, depends on the driver being used. **sessionMatchIP** false true/false (boolean) Whether to validate the user’s IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. **sessionTimeToUpdate** 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. **sessionRegenerateDestroy** false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. ============================== ============================================ ================================================= ============================================================================================ ============================== ================== =========================== ============================================================ Preference Default Options Description ============================== ================== =========================== ============================================================ **sessionDriver** FileHandler::class FileHandler::class The session storage driver to use. DatabaseHandler::class All the session drivers are located in the MemcachedHandler::class ``CodeIgniter\Session\Handlers\`` namespace. RedisHandler::class ArrayHandler::class **sessionCookieName** ci_session [A-Za-z\_-] characters only The name used for the session cookie. The value will be included in the key of the Database/Memcached/Redis session records. So, set the value so that it does not exceed the maximum length of the key. **sessionExpiration** 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 **sessionSavePath** null None Specifies the storage location, depends on the driver being used. **sessionMatchIP** false true/false (boolean) Whether to validate the user’s IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. **sessionTimeToUpdate** 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. **sessionRegenerateDestroy** false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. ============================== ================== =========================== ============================================================
… note:: As a last resort, the Session library will try to fetch PHP’s session related INI settings, as well as legacy CI settings such as @@ -498,9 +507,9 @@ permissions will probably break your application. Instead, you should do something like this, depending on your environment ::
mkdir /<path to your application directory>/Writable/sessions/ chmod 0700 /<path to your application directory>/Writable/sessions/ chown www-data /<path to your application directory>/Writable/sessions/ > mkdir /<path to your application directory>/writable/sessions/ > chmod 0700 /<path to your application directory>/writable/sessions/ > chown www-data /<path to your application directory>/writable/sessions/
Bonus Tip --------- @@ -518,6 +527,8 @@ In addition, if performance is your only concern, you may want to look into using `tmpfs https://eddmann.com/posts/storing-php-sessions-file-caches-in-memory-using-tmpfs/\`_, (warning: external resource), which can make your sessions blazing fast.
… _sessions-databasehandler-driver:
DatabaseHandler Driver ======================
@@ -561,6 +572,10 @@ For PostgreSQL::
CREATE INDEX “ci_sessions_timestamp” ON “ci_sessions” (“timestamp”);
… note:: The ``id`` value contains the session cookie name (``Config\App::$sessionCookieName``) and the session ID and a delimiter. It should be increased as needed, for example, when using long session IDs.
You will also need to add a PRIMARY KEY **depending on your ‘sessionMatchIP’ setting**. The examples below work both on MySQL and PostgreSQL::
@@ -595,6 +610,8 @@ when it generates the code. done processing session data if you’re having performance issues.
… _sessions-redishandler-driver:
RedisHandler Driver ===================
@@ -631,6 +648,8 @@ sufficient:
… literalinclude:: sessions/041.php
… _sessions-memcachedhandler-driver:
MemcachedHandler Driver =======================
Related news
### Impact When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). ### Patches Upgrade to v4.2.11 or later. ### Workarounds - Use only one session cookie. ### References - https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers ### For more information If you have any questions or comments about this advisory: * Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues) * Email us at [SECURITY.md](https://github.com/codeigniter4/CodeIgniter4/blob/develop/SECURITY.md)