autoAllowLogin impersonation (vulnerabilty)

Yii 1.1 General Discussion
1

We have implemented a session which is stored on database and an auto login feature which uses Yii internal functionality. The current problem is there’s a vulnerability which when you export a cookie using EditThisCookie Chrome plugin and then logout to that user, importing that cookie and hitting refresh will re-create the session on database and log you in as if you were logged in. We use a 30 days expiration for the remembered authentication.

Isn’t this a security concern and what are the alternative way to fix this vulnerability?

I’ve read the another thread related to this but it was 3 years ago so hoping that somebody can make clear this.

Thanks

2

Are you using cookie validation mechanism?

http://www.yiiframework.com/doc/guide/1.1/en/topics.security#cookie-attack-prevention

3

Yes we do. Here’s the request component configuration that we use:




'components'=>array(

		'request'=>array(

			'enableCookieValidation'=>true,

			'enableCsrfValidation'=>true,

			'csrfCookie'=>array(

				'httpOnly'=>true,

			)

		),

We have also used HttpOnly all through out the web app.

4

If you are concerned about web security you should switch this option off. This is one more way to get inside the app and really tricky in terms of keeping it safe. Yii docs clearly state you should not keep any sensitive info there ( http://www.yiiframework.com/doc/guide/1.1/en/topics.auth ). You can find some ideas to make it safer here http://www.yiiframework.com/forum/index.php/topic/11858-security-implications-with-cwebuser/ I can only suggest to use SSL cookies.

5

We are actually not storing any sensitive data using setState. They are just used for display purposes but the fact that I’m able to re-use the exported cookies after logout is just making us worry.

The values stored using setState were only used to display the email and name on common layout and other stuff like that.