Unexpected Session Logout Issue in CodeIgniter: A Case Study

The Problem

Recently, at work, we encountered a puzzling issue with our web application, which was built using the CodeIgniter PHP framework. Users were being logged out unexpectedly, and the logout behavior was irregular and hard to predict. Although we noticed this problem early on, it was difficult to reproduce consistently, making debugging a challenge.

The issue seemed random, but we eventually observed that it occurred more frequently when the screen displaying a map of POI (Points of Interest) positions was refreshed at short intervals, such as every few seconds.

What Was the Cause?

Initially, we suspected the session was expiring prematurely. However, upon closer inspection, we discovered that the session cookie was being truncated—losing about 10 to 20 characters. This led us to investigate the CodeIgniter Security class, specifically the xss_clean function, which is designed to prevent cross-site scripting (XSS) attacks.

The root cause was a regular expression within xss_clean that was overly aggressive in filtering out JavaScript onEvent handlers. If the generated cookie contained a substring like "#### on SOMETHING=", the regular expression would remove the "SOMETHING=" part, leading to a truncated cookie. This behavior mimicked the symptoms of an expired session, causing users to be logged out.

How Did We Fix It?

We had a few options to resolve the issue:

  1. Modify the Regular Expression: We could adjust the regular expression to be less aggressive in filtering, though this might introduce a security risk by allowing some potentially harmful scripts to pass through.

  2. Restore the Full Cookie: A safer approach was to overwrite the truncated cookie with the full, original version at the appropriate point in the code. This ensured the session remained intact without compromising security.

We opted for the second solution, which effectively resolved the problem without introducing additional vulnerabilities.

       

<? 
// the first parameter in $evil_attributes do the problematic logging out 
//...
protected function _remove_evil_attributes($str, $is_image)
 {
  // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
  $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
 }
// ...
?> 

Comments

Popular posts from this blog

Skate Tricks Recognition Using Gyroscope

Play table

Counting dice and train wagons using computer vision