how to change session id in yii?
basically i have heard of a way to hijack a users account by session sniffing, the trick to prevent it is to change the session after the user logs in.
how do i do this in yii? (i would prefer to do it in the included user auth system in yii.)
September 6, 2009, 4:24pm
You can only set it in your config array, via sessionID under session component. That means you cannot alter the ID after component is initialized.
You may, however, add a second session component with a different ID and store logged in users’ data in there. This might have a very similar effect.
no no, you misunderstand me, the problem is with sessions, even i know of a method to sniff on a session id, and then when the user logs in, you will also be logged in, this is pretty bad if it happens and im surprised that yii (or any other framework) do not have this security measure build in (or do they?)
in php its easy to swap the session id by using session_regenerate_id
so what i want is to do this upon login.
are you sure its not possible with yii?
does yii even activate the session_start()?
or does it store the session id somewhere else?
oh yes, it does store the session in a database, im suspecting a sqlite database?
but how does it mainain it between page loads?
i feel so lost…
September 6, 2009, 6:39pm
Yii uses PHP’s built-in session management. It only sets a couple of settings and let the underlying engine do the hard work (sending and receiving cookie, dealing with outdated IDs, etc.).
If you use the base class (CHttpSession), then data is stored under runtime/session-version.db, but you can put data into other db with CDbHttpSession, or into session with CCacheHttpSession.
I suppose Yii doesn’t restrict you from using session_regenerate_id(), but you may want to extend some classes to have built-in support of this feature (like refreshing the ID in the class itself).
if i only knew how to extend classes hahaha
well back to reading doc’s i guess.
it’s nice to see thought that there is no restriction in changing the session id.
September 6, 2009, 7:23pm
Regularly we store extended classes in protected/components. So your HttpSession (extending CHttpSession) might be configured like this:
ok, added the lines into config/main.php
seems to be working fine
i know oop to this degree… so no problems adding it all so far.
it has a class with a function to regenerate the session id,
the only problem is that i cant find out how to change the session id in yii.
my little firebug cookies addon sees the PHPSESSID just fine and even tells me it’s value, but i can’t manage to change it with php within yii… help?
oh wait, was a spelling bug, i think its working now.