Hi.
From: http://www.yiiframework.com/doc/guide/1.1/en/topics.security
Which hash function is used in the calculation of the HMAC? MD5? SHA-1? SHA-2?
Hi.
From: http://www.yiiframework.com/doc/guide/1.1/en/topics.security
Which hash function is used in the calculation of the HMAC? MD5? SHA-1? SHA-2?
If someone is curious about this like tomsea and me, here it is what happens when you turn on the enableCookieValidation feature.
In small words: Yii will use it’s SecurityManager to concatenate some validation info at the begining of the cookie using HMAC.
In more detail:
When we add a new cookie it runs serialize() on the cookie value and concatenates a HMAC of this new value before the new value before sending the cookie:
$cookieValue = $this->computeHMAC(serialize($cookieValue),null).serialize($cookieValue);
When you access the cookies through
$request->cookies
Yii will validate each cookie checking it’s HMAC, removing it from it’s value and unserializing it:
$len=$this->strlen($this->computeHMAC('test'));
if($this->strlen($data)>=$len)
{
$hmac=$this->substr($data,0,$len);
$data2=$this->substr($data,$len,$this->strlen($data));
return $hmac===$this->computeHMAC($data2,$key)?$data2:false;
}
else
return false;
So, this feature is just a message digest verification. Is not much of a security feature IMHO. Best thing would be to use a symetric encryption with a key of our choosing… But, is better than nothing