Member Avatar for iamthwee

Hi guys,

I just came across an interesting article regarding codeigniter cookie sessions.

http://www.dionach.com/blog/codeigniter-session-decoding-vulnerability

It seems it is fixed in 3.0 but I know that version isn't stable. I wonder what Dani thinks about this?

Version 2.2.0, released few days ago, fixes this bug. Bye!

Member Avatar for iamthwee

A few days ago? I doubt Daniweb has updated their CI core in a long time, since she began the migration from vbulletin to CI - unless I'm wrong.

Sorry, I was referring to CI, in reply to:

It seems it is fixed in 3.0 but I know that version isn't stable.

EllisLab made this upgrade to fix the session cookie vulnerability discussed in your link. About 2.2.0:

CodeIgniter 2.2.0 has been released today, and is a security release for the 2.x branch. One of these changes is significant, so please be sure to read the version notes for upgrading from 2.1.4 to 2.2.0 to ensure your environment is ready for the update.

Just make sure to have mcrypt enabled and then upgrade from 2.1.4 to 2.2.0, which includes also few minor bug fixes:

I believe having mcrypt installed makes us not vulnerable.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.