Does Yii 1.1 deal with session fixation protection?

olleharstedt · August 14, 2023, 10:45am

Session fixation is a possible vulnerability when moving data from session before authentication to session after user authentication. One such use-case is a shopping cart.

Asking the Google Bard LLM, I get this answer:

Yii 1.1 does not have any built-in session fixation protection. However, you can use the CHttpSession::regenerateID() method to regenerate the session ID after each request. This will prevent an attacker from being able to force the victim to reuse a previously authenticated session ID.

Can anyone confirm or deny this? What’s the status for Yii 2 and 3 for this security topic?

Silly, ChatGPT says the opposite:

Yes, Yii 1.1 includes session fixation protection as part of its built-in security features. Yii takes measures to help prevent session fixation attacks, which is a type of attack where an attacker sets the session ID of a user before the user logs in, potentially allowing the attacker to assume the user’s identity after login.

The problem when LLM does not cite sources, huh?

evstevemd · August 14, 2023, 5:57pm

Every time user logs in, new session is generated. So session fixation will not work if you put short login time. So Yes, with correct measures you can prevent it. If you are paranoid about that you can regenerate it with Session class

CeBe · August 15, 2023, 9:37am

The problem when LLM does not cite sources, huh?

I can cite some sources for you

Yii 1.1 CWebUser class calls regenerateId() on the Session when it logs in a user:

github.com

yiisoft/yii/blob/d7845aa29dcc81846b5be35591781613a61244b5/framework/web/auth/CWebUser.php#L717


      
          	 * when the current user needs to be populated with the corresponding
          	 * identity information. Derived classes may override this method
          	 * by retrieving additional user-related information. Make sure the
          	 * parent implementation is called first.
          	 * @param mixed $id a unique identifier for the user
          	 * @param string $name the display name for the user
          	 * @param array $states identity states
          	 */
          	protected function changeIdentity($id,$name,$states)
          	{
          		Yii::app()->getSession()->regenerateID(true);
          		$this->setId($id);
          		$this->setName($name);
          		$this->loadIdentityStates($states);
          	}
          
          
	/**
          	 * Retrieves identity states from persistent storage and saves them as an array.
          	 * @return array the identity states
          	 */
          	protected function saveIdentityStates()

So if you use CWebUser for login, Yii will handle session fixation protection for you.

The same is true for Yii 2 too:

github.com

yiisoft/yii2/blob/84c15dc5d1c9114dc0f57d208a557aa63087c576/framework/web/User.php#L658


      
          if (!$this->enableSession) {
              return;
          }
          
          
/* Ensure any existing identity cookies are removed. */
          if ($this->enableAutoLogin && ($this->autoRenewCookie || $identity === null)) {
              $this->removeIdentityCookie();
          }
          
          
$session = Yii::$app->getSession();
          $session->regenerateID(true);
          $session->remove($this->idParam);
          $session->remove($this->authTimeoutParam);
          $session->remove($this->authKeyParam);
          
          
if ($identity) {
              $session->set($this->idParam, $identity->getId());
              $session->set($this->authKeyParam, $identity->getAuthKey());
              if ($this->authTimeout !== null) {
                  $session->set($this->authTimeoutParam, time() + $this->authTimeout);
              }