CI invalid session

Strange session behaviour

How does it look like?

Lately at work we've ran into a strange behaviour of an irregular logging out. We used CodeIgniter php framework for developing a web application. We noticed this problem earlier on, but we couldn't repeat it on purpose. This behaviour occurred randomly. We didn't know how to repeat it so it was almost impossible to debug it. But one day, we found that if the screen with the map of the POI positions was repeatidly updated in few seconds intervals, this problem occurred more often.


What was the problem?

The session was not expired as we thought first, the cookie was somehow cut off about 10, 20 symbols. The problem was in CodeIgniter Security class in xss_clean which prevented the cross site scripting. To be exact the offender was regular expression that was trying to filter every onEvent javascript function. So if your generated cookie contained substring "#### on SOMETHING=" it removed the part "SOMETHING=". And application looked like the same as when a session expires.


How to fix it?

There were a few options. One, was to change the regular expression on event (which might lead to a security risk), or to simply overwrite the cut cookie with a full cookie at the right place. 
       

<? 
// the first parameter in $evil_attributes do the problematic logging out 
//...
protected function _remove_evil_attributes($str, $is_image)
 {
  // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
  $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
 }
// ...
?>

Comments

Post a Comment

Popular posts from this blog

Counting dice and train wagons using computer vision

Image
Computer vision exercises with preprocessing Before the next project I decided to do some computer vision exercises. Each example is based on a simple logic image preprocessing. No data structure or learning is required. Dice I got this idea while browsing the net. I was curious about how hard can it be to write such a script. I'll describe the algorithm in steps. movement detection : Comparing few frames with thresholds gives us the information, whether something is moving in the frame. Adding some small time frame after the movement stops gives us more precise information. remove background : Thresholding gray frame removes the background and gives us binary image with objects cropping the objects : Using contours to detect object and then separate them by cropping. detecting dots : Inverting the image we get objects that can be again simply detected using contours. filtering dots : If dice is visible also from the side therefore dots from that side can be recogn
Read more

Play table

Image
Using proximity sensors for playing midi tones combined with LED visualization Description The aim of this project was to create a table sized device with multiple proximity sensors that can play midi tones. Each sensor had a few LEDs to show hand distance above the table. This table could be used by one or more persons at once. Hardware setup First I created a prototype from a cardboard to test sensors and some logic behind. Than I ordered a customized plottered sticker with a design which was painted with bare conductive paint. Afterwards I drilled some holes and connected the touchboard with 7 arduino Nanos. Each arduino was connected to 13 LEDs diodes. At the end I added two potentiometers. One for controlling volume and one for changing notes setup. Programming Programming consists of two parts. Master(touchboard) program that reads values from proximity sensors and sends messages to slaves(arduinos). Second program for slaves that reads messages from m
Read more

Skate tricks recognition using gyroscope

Image
In this article we're going to describe how to recognize a skateboard trick using a gyroscope. This sensor is already present in most of the smartphones but in case you are not familiar with it, here is a description . Before we begin, small disclaimer. This project was originally as a part of hackathon that was used with Slido and the purpose was to confirm that it's possible to recognize a trick using a gyroscope. For the sake of simplicity of this project we're not considering skater's stance on a board and we're only trying to recognize 2 simple tricks. So, let's begin by splitting the problem into several smaller ones. We need to record the trick, store it, describe it, understand it, and then of course recognize it. Recording the trick Let's start with the trick recording. To have a precise data we need to have a device with a gyroscope that is attached directly to a skateboard. We need to place it on the bottom of the board, otherwise it might interfe
Read more