Unexpected Session Logout Issue in CodeIgniter: A Case Study

The Problem

Recently, at work, we encountered a puzzling issue with our web application, which was built using the CodeIgniter PHP framework. Users were being logged out unexpectedly, and the logout behavior was irregular and hard to predict. Although we noticed this problem early on, it was difficult to reproduce consistently, making debugging a challenge.

The issue seemed random, but we eventually observed that it occurred more frequently when the screen displaying a map of POI (Points of Interest) positions was refreshed at short intervals, such as every few seconds.

What Was the Cause?

Initially, we suspected the session was expiring prematurely. However, upon closer inspection, we discovered that the session cookie was being truncated—losing about 10 to 20 characters. This led us to investigate the CodeIgniter Security class, specifically the xss_clean function, which is designed to prevent cross-site scripting (XSS) attacks.

The root cause was a regular expression within xss_clean that was overly aggressive in filtering out JavaScript onEvent handlers. If the generated cookie contained a substring like "#### on SOMETHING=", the regular expression would remove the "SOMETHING=" part, leading to a truncated cookie. This behavior mimicked the symptoms of an expired session, causing users to be logged out.

How Did We Fix It?

We had a few options to resolve the issue:

  1. Modify the Regular Expression: We could adjust the regular expression to be less aggressive in filtering, though this might introduce a security risk by allowing some potentially harmful scripts to pass through.

  2. Restore the Full Cookie: A safer approach was to overwrite the truncated cookie with the full, original version at the appropriate point in the code. This ensured the session remained intact without compromising security.

We opted for the second solution, which effectively resolved the problem without introducing additional vulnerabilities.

       

<? 
// the first parameter in $evil_attributes do the problematic logging out 
//...
protected function _remove_evil_attributes($str, $is_image)
 {
  // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
  $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
 }
// ...
?>

Comments

Post a Comment

Popular posts from this blog

Play table

Image
Using proximity sensors for playing midi tones combined with LED visualization Description The goal of this project was to create a table-sized device equipped with multiple proximity sensors capable of playing MIDI tones. Each sensor is accompanied by LEDs that indicate the distance of the user's hand above the table. This interactive table can be used by one or more people simultaneously. Hardware Setup I began with a cardboard prototype to test the sensors and the underlying logic. Afterward, I ordered a custom plottered sticker with a design which was painted with bare conductive paint. I drilled holes and connected the touchboard to seven Arduino Nanos, each controlling 13 LEDs. Additionally, I incorporated two potentiometers: one for volume control and another for changing the note setup. Programming The programming task was divided into two parts: Master Program (Touchboard): Reads values from the proximity sensors and sends messages to the slave Arduinos. Sl
Read more

Counting dice and train wagons using computer vision

Image
Computer vision exercises with preprocessing Before starting my next project, I decided to work on some computer vision exercises. Each example is based on straightforward image preprocessing techniques. No complex data structures or machine learning are involved. Dice Detection I got this idea while browsing the net and became curious about how challenging it would be to write such a script. Here’s a step-by-step breakdown of the algorithm: Movement Detection : By comparing several frames with thresholds, we can determine if there is any movement in the frame. Adding a small time buffer after the movement stops gives us more accurate information. Removing the Background : Thresholding the grayscale frame helps to remove the background, leaving us with a binary image that highlights the objects. Cropping the Objects : Using contours, we can detect and isolate the objects by cropping them. Detecting Dots : By inverting the image, the dots on the dice become more distinguish
Read more

Skate Tricks Recognition Using Gyroscope

Image
In this article, we’ll describe how to recognize skateboard tricks using a gyroscope. This sensor is already present in most smartphones, but if you’re not familiar with it, here is a description . Before we dive in, a small disclaimer: This project originated as part of a Slido hackathon with the goal of demonstrating that it’s possible to recognize skateboard tricks using a gyroscope. For simplicity, we’ll focus on recognizing just two basic tricks and won’t consider the skater’s stance on the board. We’ll break down the problem into several smaller tasks: recording the trick, storing the data, describing the trick, analyzing it, and, finally, recognizing it. Recording the Trick Let’s start with trick recording. To obtain precise data, the device with the gyroscope needs to be attached directly to the skateboard. Place it on the bottom of the board to avoid interfering with the execution of the trick. The device should also be compact and lightweight to avoid altering the board’s cen
Read more