I know this is a duplicate question Codeigniter/PHP sessions security question but sorry to tell all measure recommended there failed in my case and that is the reason why I am repeating this question and that question asked in 2011 and now its answers will be outdated. So please don't duplicate it.

In my scenario I enabled $config['sess_driver'] = 'database'; and $config['sess_match_ip'] = TRUE; in config file.

I also put csrf token and XSS filtering in my authentication form and always use active records to prevent any sort of SQL injection. For extra security, i also implemented 2-factor authentication, Google ReCaptcha and ip blocking on the 10th attempt. Still, all the above measures can only prevent brute force attack in my case and not session hijacking.

If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.

I know using HTTPS can help as I can enable $config['cookie_secure']=TRUE; but I am not 100% sure about it as I can easily login to my twitter account my doing session hijacking and twitter use HTTPS.

I also tried my laravel app and its default middleware authentication system can be session hijacked.

So the basic problem is all my authentication work on the session and I don't know any other method to use authentication without using session.

If anybody has any idea of how to improve the security of my web application please help me.

Thanks in advance.

Preventing session fixation means to prevent the session ID from being stolen.

You've only failed if there is a way for it to be stolen. Worrying what happens after that is pointless.

If an attacker got ci_session value and my ip he can easily login in my website without any login credentials.

Nobody can just change their IP address to yours ...

You can save visitors info in the session, as OS platform and browser and compare it every page load.

CI have an User Agent Library that help with this.

Also create a cookie changing the value on every page load and save the old value in a session every page load. Compare each request. Compare all, including the old session id and the old custom key used with this cookie.

CI have an Cookie Helper that help with this.

Regenerate your session id in a small period.

If any compared data is incorrect you can log out the user. Destroy the session and remove the cookie. Show some alert about this issue if necessary.

This will prevent that someone hack you from your network getting your session id. And caution with social enginnering.

I was searching this same issue.