CodeIgniter Session Cookie
Posted on December 29, 2009
I found something "peculiar" about how codeigniter stores session cookies.
CodeIgniter allows you to encrypt your cookie using sha1 which requires an encryption key, but it's not set by default.
A typical CI cookie looks like this:
a%3A9%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22e56862bcb9fe688cb8806b7067b06b7f%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22192.168.0.124%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-GB%3B+rv%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221262120952%22%3Bs%3A4%3A%22user%22%3Bs%3A1%3A%227%22%3Bs%3A3%3A%22rol%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22giro%22%3Bs%3A1%3A%221%22%3Bs%3A5%3A%22lugar%22%3Bs%3A2%3A%2250%22%3Bs%3A6%3A%22logged%22%3Bs%3A1%3A%221%22%3B%7D37a9099621cf8f09b531e91c327b4b9d
Which is URL Encoded. A simple UrlDecode gives us:
a:9:{s:10:"session_id";s:32:"e56862bcb9fe688cb8806b7067b06b7f";s:10:"ip_address";s:13:"192.168.0.124";s:10:"user_agent";s:50:"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv";s:13:"last_activity";s:10:"1262120952";s:4:"user";s:1:"7";s:3:"rol";s:1:"1";s:4:"giro";s:1:"1";s:5:"lugar";s:2:"50";s:6:"logged";s:1:"1";}37a9099621cf8f09b531e91c327b4b9d
Which is way more readable. Basically, single letters are the data type (a => array, s => string, i => integer). Then, the length of the field and then the value. (length is omitted on integers).
The last 32 hex digits is the MD5 hash. I found out that if you trim the hash away, and you modify your data, you can "re-hash" it, and append the new hash to your data.
Then, you just UrlEncode your data again, and modify your cookie.
Amazingly... it works.