trrrrrrm trrrrrrm - 25 days ago 9
PHP Question

Codeigniter: is it still safe to set sess_match_ip to FALSE

I'm working on a website where visitors from some countries are facing a problem with the codeigniter caching system. the cache is deleted after a request or two. after deep investigation i turned sess_match_ip and sess_match_useragent to FALSE and everything is working fine now.

Is it safe to keep those configs as FALSE ?


Answer Source

It is slightly less safe, but it is often required, especially when dealing with mobile devices or users behind a bank of proxy servers.

To make sure you are as secure as possible, be sure to use the database for sessions, and be sure to set the encryption key, and sess_encrypt_cookie so that what little information is stored in the cookie is obfuscated.

The one other thing you could do is to lower the config value for sess_time_to_update to a value even less than its default of 300 seconds. On the slight chance someone does get a cooke, then reverse engineer it, it would be useless if CI has already made a new session id.

Added on Sept. 23, 2017

With the release versions of Codeigniter 3.x, they recommend using file sessions vs db sessions. Be sure to set a non-web accessible folder for sessions in your config.php if you do. If you have a host that doesn't to allow you to set a custom folder, I would stick with db sessions. The rest of the answer still applies.