Cookie replay after logout php CodeIgniter

Question

I have an application where the login and logout works correctly. Once the user logs out, and tries to access a page he needs authentication for, he is redirected to the login screen.

Where my problem lies is. If while I am logged in, if I copy the cookie values and save them on a file. After logout, I alter the cookie and add the same values, I get logged back in into the application as the same user.

On logout I have written a function that loops over all the cookies and deletes them.

My understanding is that cookies are both on the client and also on the server side. So if the cookies are getting deleted, they are getting deleted on both the sides and that the server would not recognize them after they have been cleared, even if the browser sends them back again(apparently that is not the case, i think).

The reason why I am doing this is because this is one of the points raised by our security auditor, and I need to get a way to fix this hole. (At this point doing https is not feasible)

I'd be happy if someone can give me pointers on how I can clear out the cookies on the server side as well, so, when the next time someone hits the server with the same cookie, it does not accept it as a valid cookie.

Edit:

I am using codeigniter sessions and tank_auth as the authentication library. At logout, the library itself calls

$this->ci->session->sess_destroy();

to be extra sure, I tried the following after a few attempts :

session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);

My regular logout works, and if I try to access the page directly it does not open.

if while I am logged in, I take my cookie, save it somewhere -- log-out successfully and replace the cookie with my older one, I get right back into the session. 如果我在登录时，我拿走了我的cookie，将其保存在某个位置 - 成功注销并将cookie替换为旧版本，我会立即回到会话中。

Is there a way to stop this behavior -- Where the server side will not entertain a session after it has been destroyed. I also made sure that my server and php are on the same timezone (setting it with date_default_timezone_set ).

Answer 1

Cookies are not stored on the server at all. Those are stored in the browser and then sent to the server in the request headers. You can easily find software and plugins for browsers that allow you to create/edit/delete cookies. For that reason you should never store sensitive information in cookies. Essentially what you want to do is store the user data in a session and then store the session name in a cookie. Usually this is done automatically in php when you use the function session_start().

If you are using Codeigniter, the php session functions are wrapped in a CI session library that is auto loaded on each page load. So instead of storing data in $_COOKIE you will want to get/set your data via the userdata method in the session library:

//in your controller
//save session data
$userdata = array(
    "isLoggedIn"=>true,
    "username"=>$_POST['username']
);
$this->session->set_userdata($userdata);

//get session data later
$isLoggedIn = $this->session->userdata("isLoggedIn");
if(!$isLoggedIn){
    //if the user is not logged in, destroy the session and send to the login screen
    $this->session->sess_destroy();
    redirect("/");
}

Note that the code above is not tested and is only supposed to give you an idea on where to go. If the session methods aren't working for you, you may need to load the library in manually:

//in the __construct method of your controller:
$this->load->library("session");

You can find more information here: http://ellislab.com/codeigniter/user-guide/libraries/sessions.html and here: http://www.php.net/manual/en/book.session.php

Answer 2

Thanks for you answers guys.

This is what I figured, later. I am not sure what was causing this but the sessions were not getting invalidated after trying everything. I moved the sessions on codeigniter to the database. Then the logouts started working correctly, where after logout if the 'stolen'/'saved' cookie was put in the browser again it would Not log the user back in.

So, thats what solved it.