EllisLab text mark
Advanced Search
     
ExpressionEngine Cookie/Session Security Concerns
Posted: 22 February 2013 09:04 PM
Joined: 2007-10-07
8 posts

The following are some security concerns with the current implementation of ExpressionEngine’s handling of cookies and sessions.

Cookies

With EE there has been a change to how the default cookie session length is created from the default php setcookie function.

In the areas where the cookie is set if you set the cookie expiration to 0 or not set this should change it to end at the end of the user’s browser session.  Unfortunately there have been changes to change 0 to a very long period of time in the code.

I would recommend changing this back to the default so it can compile with the default php implementation.

There is also an issue where ExpressionEngine does not add the ability to set the httponly flag in the configuration file and the secure flag does not always stick when cookies are being set by ExpressionEngine.

Sessions
Depending on certain settings and configurations for EE if the session information is stored client side it appears they may also be stored in the database.  If you remove the session information from the filesystem the user is still logged in due to the information still being stored in the database.

My recommendation for this is to insure if the session information is being stored on the filesystem that the session information is not written to the database.