Codeigniter is one of my favorite PHP framework. Like every one else, I’ve learned PHP MVC programming with this framework. Today, I decided to analyze Codeigniter for PHP Object Injection Vulnerability.
I’ll focus on Session mechanism of Codeigniter at rest of this write-up . All method that I will explain are located in CodeIgniter/system/libraries/Session.php file. Also I used Codeigniter 2.1 stable release for this research.
Codeigniter Session Mechanism
CI use serialization methods of PHP to store variables in user session. But Codeigniter session mechanism is not working like we expect. It stores session variables in client’s cookie. We expect that Codeigniter stores session variables at server side, mostly on disk instead of user cookie. I don’t know why developers decided to this way.
Following description grabbed from codeigniter documentation.
The Session class stores session information for each user as serialized (and optionally encrypted) data in a cookie. Even if you are not using encrypted sessions, you must set an encryption key in your config file which is used to aid in preventing session data manipulation.
In this write-up we will analyze the possibilities of session data manipulation and so on.