CodeIgniter weak encryption key
Description
CodeIgniter is a PHP framework that provides encryption and session management capabilities through configuration-based encryption keys. This vulnerability occurs when the application uses a default, weak, or publicly known encryption key instead of a unique random value. The encryption key is configured in the $config['encryption_key'] parameter and is critical for securing encrypted data and session tokens. When a weak or known key is used, attackers can decrypt sensitive data, forge session cookies to impersonate legitimate users, and potentially achieve remote code execution through object injection attacks.
Remediation
Immediately replace the weak encryption key with a cryptographically strong random value. Follow these steps to remediate:
1. Generate a strong random encryption key of at least 32 characters using a cryptographically secure method
2. Open the configuration file located at application/config/config.php
3. Update the encryption key parameter with your newly generated value:
// Before (weak/default key - INSECURE) $config['encryption_key'] = ''; // or $config['encryption_key'] = 'mysecretkey'; // After (strong random key - SECURE) $config['encryption_key'] = 'a8f5f167f44f4964e6c998dee827110c03f5c1a5';4. Invalidate all existing user sessions to force re-authentication with the new key
5. Verify that no default or example keys from documentation are being used in production
You can generate a secure key using PHP:
php -r "echo bin2hex(random_bytes(32));"Or use online tools specifically designed for generating CodeIgniter encryption keys. Never commit encryption keys to version control systems.