basically i have heard of a way to hijack a users account by session sniffing, the trick to prevent it is to change the session after the user logs in.
how do i do this in yii? (i would prefer to do it in the included user auth system in yii.)
no no, you misunderstand me, the problem is with sessions, even i know of a method to sniff on a session id, and then when the user logs in, you will also be logged in, this is pretty bad if it happens and im surprised that yii (or any other framework) do not have this security measure build in (or do they?)
in php its easy to swap the session id by using session_regenerate_id
so what i want is to do this upon login.
are you sure its not possible with yii?
edit:
does yii even activate the session_start()?
or does it store the session id somewhere else?
edit2:
oh yes, it does store the session in a database, im suspecting a sqlite database?
Yii uses PHP’s built-in session management. It only sets a couple of settings and let the underlying engine do the hard work (sending and receiving cookie, dealing with outdated IDs, etc.).
If you use the base class (CHttpSession), then data is stored under runtime/session-version.db, but you can put data into other db with CDbHttpSession, or into session with CCacheHttpSession.
I suppose Yii doesn’t restrict you from using session_regenerate_id(), but you may want to extend some classes to have built-in support of this feature (like refreshing the ID in the class itself).