Hello,
I found out that YII already does a lot of the things I had to code myself in the past framework I used, including safe cookies and CSRF validation for $_POST requests. I have also a note about CSRF cookies’ default implementation, but I will write this later.
Now, I am creating the login system. I have added encryption with salt to the user password, and modified the login system a bit. I am storing sessions in the DB. At this point, I usually implement some system to prevent session fixation, often by renewing the session’s ID at every request. Is there some built-in system in YII to help with this (even a link to the doc page would be enough!) ?
Also, In the past, as an additional layer of security, I often stored additional information for each session, like user IP and user agent to be matched at each request. In these days, with apps being designed to work also on mobile platforms, IPs are changing even every few minutes, so this cannot be done anymore.
Thanks all!