Is there a setting that will allow me to encrypt cookies stored in user’s browsers? that are then decrypted when accessed by the code.
Is there a setting that will allow me to encrypt cookies stored in user’s browsers? that are then decrypted when accessed by the code.
Not by default, no. You can either use suhosin or extend the CCookieCollection class for that.
I store people’s ID numbers in a cookie. I then use those ID numbers to get information about them throughout the site. Can I be 100% certain that Yii will prevent users from editing these ID numbers (in their cookie) and pretend to be another user?
Encrypting your cookies will help to some degree. It won’t protect your app from replay attacks, though.
This isn’t a problem specific to Yii, btw.
Then how do I protect cookies from being changed and prevent replay attacks?
There’s now sure-fire way for this. I came close by taking the /16 part of a user’s IP, appended that to a secret key and encrypted my cookies with that via twofish. If that’s too much of a hassle for you, you might want to follow this article.
If you come across a better solution: Let me know 