I am relatively new to Yii and web coding in general. I am however in the very preliminary stage of building a website. The majority of the work will be coded externally but I was hoping I could get some input so that I know what I need to ask of the coder. I am hugely concerned about security. I have had several websites hacked in the past and have also been the victim of massive amounts of spam registrations.
I was wondering if anyone could give me some secuirty guidelines for a custom built login and registration system using the Yii framework. I found some features of a rawphp login script, this seems to be pretty comprehensive but is there anything else which can be done to secure the login system. Are any of these already built into Yii?
Interesting topic! I’m also quite new too Yii and also very concerned about security.
The list looks good. You might want to add:
Temporary ban IP after X failed login attempts (unless you serve a big enterprise behind proxy)
Use secure cookies (httpOnly) to prevent cookie stealing
Using the agent as component should not be considered secure as it can easily be spoofed, just as with IP. Using secure cookies prevents (injected) scripts from reading the cookie and thus stealing the SID.
Also, be sure the SID is changed for each http request for improved CSRF protection. You should also consider randomizing the cookie SID parameter name.
I assume this is referring to password hashing. The current method of breaking MD5/SHA1 is feeding the hash to Google. Often falls into O(1). There are better ways to secure your passwords.
Hardened random salts to hash login token, session id, sign up id and user agent
Sounds over-engineered. The above method will work just as fine.
Brute force attack detection based on hashed login tokens
It’s not in Yii. But you could do something similar by logging failed log-in attempts among the ip or /24 ip-block and the current timestamp. If there are too many attempts within a certain timestamp, just let authentication fail.
SQL Injection rejection using a Pattern Validator class built upon RegEx
Yii heavily relies on PDO which will result in fully parameterized queries. So this is really a non-issue. Unless you are using DAO: If you’re not careful, your app might be prone to SQL injection attacks. Then again, you’d almost have to force that.
Code Injection rejection using RegEx
This is not part of Yii or any available extension of Yii I am aware of. But it shouldn’t really be a problem unless you are putting user submitted values into eval() or leaving uploaded files into folders within your webroot. If you really want this, there would still be a validator that could sanitize user input for you.
Session hijack detection using inter-locked session between database and client cookie
Vanilla Yii is not safe from session hijacking. This is due to several design decissions. However, there’s a session driver offering a bit more security. If that’s still not enough: You’re free to write your own session driver and set it in place
No critical information is saved in cookies
By default, everything that’s in the cookie is the session id.
Cross site script rejection using session id and agent hash key pair
There is a very good token-based XSRF prevention system available. See an example for its use here.
Limited time session cookies are used, Cookies expires on browser exit