cookies security

What kind of security does Yii implement when storing cookies and other data? I use the UserIdentity class to set the id for the user, and I then use that ID to retrieve sensitive information about the user when he/she visits the site.

What is needed to ensure that information stored in cookies using the Yii framework is secure?

All user data stores into sessions. Cookies used to keep session_id. So in your case userID wouldn’t appear into cookie.

Few step how to protected sessionID from sniffing:

  1. Use secured connections (https) and set secure=true to session cookies (see http://www.php.net/manual/en/function.session-set-cookie-params.php).



// protected/config/main.php

...

'session' => array (

    'cookieParams' => array(

         'secure' => true,

    ),

),

...



  1. Save user IP after user sign in, and check it on every user visit. (you’ll need create you own HttpSession class to extend standard one; or use following extension: http://www.yiiframework.com/extension/session/. Last one stores sessions into DB).

Hope it would help you.