CHttpRequest .enableCookieValidation HMAC



Which hash function is used in the calculation of the HMAC? MD5? SHA-1? SHA-2?

If someone is curious about this like tomsea and me, here it is what happens when you turn on the enableCookieValidation feature.

In small words: Yii will use it’s SecurityManager to concatenate some validation info at the begining of the cookie using HMAC.

In more detail:

When we add a new cookie it runs serialize() on the cookie value and concatenates a HMAC of this new value before the new value before sending the cookie:

$cookieValue = $this->computeHMAC(serialize($cookieValue),null).serialize($cookieValue);

When you access the cookies through


Yii will validate each cookie checking it’s HMAC, removing it from it’s value and unserializing it:






			return $hmac===$this->computeHMAC($data2,$key)?$data2:false;



			return false;

So, this feature is just a message digest verification. Is not much of a security feature IMHO. Best thing would be to use a symetric encryption with a key of our choosing… But, is better than nothing :)