Creating a secure login system


I am relatively new to Yii and web coding in general. I am however in the very preliminary stage of building a website. The majority of the work will be coded externally but I was hoping I could get some input so that I know what I need to ask of the coder. I am hugely concerned about security. I have had several websites hacked in the past and have also been the victim of massive amounts of spam registrations.

I was wondering if anyone could give me some secuirty guidelines for a custom built login and registration system using the Yii framework. I found some features of a rawphp login script, this seems to be pretty comprehensive but is there anything else which can be done to secure the login system. Are any of these already built into Yii?


Interesting topic! I’m also quite new too Yii and also very concerned about security.

The list looks good. You might want to add:

  • Temporary ban IP after X failed login attempts (unless you serve a big enterprise behind proxy)

  • Use secure cookies (httpOnly) to prevent cookie stealing

Using the agent as component should not be considered secure as it can easily be spoofed, just as with IP. Using secure cookies prevents (injected) scripts from reading the cookie and thus stealing the SID.

Also, be sure the SID is changed for each http request for improved CSRF protection. You should also consider randomizing the cookie SID parameter name.

Thank you for your suggestions. I have read into httpOnly and that sounds like a great addition.

Well, let’s see…

  • One way hashing using SHA1

I assume this is referring to password hashing. The current method of breaking MD5/SHA1 is feeding the hash to Google. Often falls into O(1). There are better ways to secure your passwords.

  • Hardened random salts to hash login token, session id, sign up id and user agent

Sounds over-engineered. The above method will work just as fine.

  • Brute force attack detection based on hashed login tokens

It’s not in Yii. But you could do something similar by logging failed log-in attempts among the ip or /24 ip-block and the current timestamp. If there are too many attempts within a certain timestamp, just let authentication fail.

  • SQL Injection rejection using a Pattern Validator class built upon RegEx

Yii heavily relies on PDO which will result in fully parameterized queries. So this is really a non-issue. Unless you are using DAO: If you’re not careful, your app might be prone to SQL injection attacks. Then again, you’d almost have to force that.

  • Code Injection rejection using RegEx

This is not part of Yii or any available extension of Yii I am aware of. But it shouldn’t really be a problem unless you are putting user submitted values into eval() or leaving uploaded files into folders within your webroot. If you really want this, there would still be a validator that could sanitize user input for you.

  • Session hijack detection using inter-locked session between database and client cookie

Vanilla Yii is not safe from session hijacking. This is due to several design decissions. However, there’s a session driver offering a bit more security. If that’s still not enough: You’re free to write your own session driver and set it in place ;)

  • No critical information is saved in cookies

By default, everything that’s in the cookie is the session id.

  • Cross site script rejection using session id and agent hash key pair

There is a very good token-based XSRF prevention system available. See an example for its use here.

  • Limited time session cookies are used, Cookies expires on browser exit

Close to Yii’s default.

  • Automated registration block using simple math

No idea what that’s supposed to be :blink:

Agh, when I read “Code Injection” I thought of PHP-code. Just realized that might refer to XSS injection. Well, Yii’s got that one covered as well.