How to prevent session hijacking in CodeIgniter 3

Question

I know this is a duplicate question Codeigniter/PHP sessions security question but sorry to tell all measure recommended there failed in my case and that is the reason why I am repeating this question and that question asked in 2011 and now its answers will be outdated. So please don't duplicate it.

In my scenario I enabled $config['sess_driver'] = 'database'; and $config['sess_match_ip'] = TRUE; in config file.

I also put csrf token and XSS filtering in my authentication form and always use active records to prevent any sort of SQL injection. For extra security, i also implemented 2-factor authentication, Google ReCaptcha and ip blocking on the 10th attempt. Still, all the above measures can only prevent brute force attack in my case and not session hijacking.

If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.

I know using HTTPS can help as I can enable $config['cookie_secure']=TRUE; but I am not 100% sure about it as I can easily login to my twitter account my doing session hijacking and twitter use HTTPS.

I also tried my laravel app and its default middleware authentication system can be session hijacked.

So the basic problem is all my authentication work on the session and I don't know any other method to use authentication without using session.

If anybody has any idea of how to improve the security of my web application please help me.

Thanks in advance.

Answer 1

Preventing session fixation means to prevent the session ID from being stolen.

You've only failed if there is a way for it to be stolen. Worrying what happens after that is pointless.

If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.

Nobody can just change their IP address to yours ...