Is It Safe ?

Hi

I have yii application with frontend and backend

in frontend :

root/index.php use root/protected/config/main.php

in backend :

root/admin.php use root/protected/admin/config/main.php

so I have 2 independent Web Application that use one shared Yii framework (root/protected/framework/yii.php)

I have 2 login page , once for frontend , once for backend

for frontend I have DUserIdentity class that extends CUserIdentity and in authenticate() method I check username and password in user table after authenticate() I use Yii::app()->user->login($this->_identity,$duration); to login user

I backend I do like front end but I use different class , I have DAdminIdentity class that extends CUserIdentity and in authenticate() method I check username and password in admin table after authenticate() I use Yii::app()->user->login($this->_identity,$duration); to login user

my question is :

is this way safe that means , if a user login in frontend , and want hack me and change browser storage data , can he/she login in to backend page ?

in frontend and back end when I createWebApplication


Yii::createWebApplication($config)->run();

I use different $config so I have different web app , I think it is safe , right? I think it is same to I have one yii app and install it to different folder like root/one and root/two if a user logged in root/one he cannot login to root/two

:( reply me plz

help me plz

Perhaps you should have some patience.

I think the key really is that you have to understand how the authentication from cookie works. Once you understand how that works and how Yii authenticates users based on the supplied cookies, then you can judge for yourself if this is a save situation.

To answer your question; your solutions is just as (un)safe as it were only one login leading to different ends based on a user role or access level. You gained no more security nor did you lose any.

Some reading suggestions;

http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#cookie-based-login

http://www.yiiframework.com/doc/guide/1.1/en/topics.security#cookie-attack-prevention

ok thanks