Sunday, August 10, 2014

CI invalid session

Strange session behaviour

How does it look like?

Lately at work we've ran into a strange behaviour of an irregular logging out. We used CodeIgniter php framework for developing a web application. We noticed this problem earlier on, but we couldn't repeat it on purpose. This behaviour occurred randomly. We didn't know how to repeat it so it was almost impossible to debug it. But one day, we found that if the screen with the map of the POI positions was repeatidly updated in few seconds intervals, this problem occurred more often.

What was the problem?

The session was not expired as we thought first, the cookie was somehow cut off about 10, 20 symbols. The problem was in CodeIgniter Security class in xss_clean which prevented the cross site scripting. To be exact the offender was regular expression that was trying to filter every onEvent javascript function. So if your generated cookie contained substring "#### on SOMETHING=" it removed the part "SOMETHING=". And application looked like the same as when a session expires.

How to fix it?

There were a few options. One, was to change the regular expression on event (which might lead to a security risk), or to simply overwrite the cut cookie with a full cookie at the right place.

// the first parameter in $evil_attributes do the problematic logging out 
protected function _remove_evil_attributes($str, $is_image)
  // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
  $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
// ...