Does Yii 1.1 deal with session fixation protection?

Session fixation is a possible vulnerability when moving data from session before authentication to session after user authentication. One such use-case is a shopping cart.

Asking the Google Bard LLM, I get this answer:

Yii 1.1 does not have any built-in session fixation protection. However, you can use the CHttpSession::regenerateID() method to regenerate the session ID after each request. This will prevent an attacker from being able to force the victim to reuse a previously authenticated session ID.

Can anyone confirm or deny this? What’s the status for Yii 2 and 3 for this security topic?

Silly, ChatGPT says the opposite:

Yes, Yii 1.1 includes session fixation protection as part of its built-in security features. Yii takes measures to help prevent session fixation attacks, which is a type of attack where an attacker sets the session ID of a user before the user logs in, potentially allowing the attacker to assume the user’s identity after login.

The problem when LLM does not cite sources, huh?

Every time user logs in, new session is generated. So session fixation will not work if you put short login time. So Yes, with correct measures you can prevent it. If you are paranoid about that you can regenerate it with Session class

The problem when LLM does not cite sources, huh?

I can cite some sources for you :wink:

Yii 1.1 CWebUser class calls regenerateId() on the Session when it logs in a user:

So if you use CWebUser for login, Yii will handle session fixation protection for you.

The same is true for Yii 2 too: