CHttpRequest .enableCookieValidation HMAC

Hi.

From: http://www.yiiframework.com/doc/guide/1.1/en/topics.security

Which hash function is used in the calculation of the HMAC? MD5? SHA-1? SHA-2?

If someone is curious about this like tomsea and me, here it is what happens when you turn on the enableCookieValidation feature.

In small words: Yii will use it’s SecurityManager to concatenate some validation info at the begining of the cookie using HMAC.

In more detail:

When we add a new cookie it runs serialize() on the cookie value and concatenates a HMAC of this new value before the new value before sending the cookie:


$cookieValue = $this->computeHMAC(serialize($cookieValue),null).serialize($cookieValue);

When you access the cookies through


$request->cookies

Yii will validate each cookie checking it’s HMAC, removing it from it’s value and unserializing it:


		$len=$this->strlen($this->computeHMAC('test'));

		if($this->strlen($data)>=$len)

		{

			$hmac=$this->substr($data,0,$len);

			$data2=$this->substr($data,$len,$this->strlen($data));

			return $hmac===$this->computeHMAC($data2,$key)?$data2:false;

		}

		else

			return false;



So, this feature is just a message digest verification. Is not much of a security feature IMHO. Best thing would be to use a symetric encryption with a key of our choosing… But, is better than nothing :)