Login System - YII And Session Fixation

mishabear · November 6, 2009, 6:09am

Hello,

I found out that YII already does a lot of the things I had to code myself in the past framework I used, including safe cookies and CSRF validation for $_POST requests. I have also a note about CSRF cookies’ default implementation, but I will write this later.

Now, I am creating the login system. I have added encryption with salt to the user password, and modified the login system a bit. I am storing sessions in the DB. At this point, I usually implement some system to prevent session fixation, often by renewing the session’s ID at every request. Is there some built-in system in YII to help with this (even a link to the doc page would be enough!) ?

Also, In the past, as an additional layer of security, I often stored additional information for each session, like user IP and user agent to be matched at each request. In these days, with apps being designed to work also on mobile platforms, IPs are changing even every few minutes, so this cannot be done anymore.

Thanks all!

reflexnz · November 24, 2009, 8:58am

Hi there. I can’t answer your question as I’m very new to Yii…but I’m hoping you may be able to help me instead.

I’m really interested to hear how you implemented your sessions so they can be written to the database. I could probably code it myself but I’d prefer to find out what the best practice is.

if you could post some sample code that would be MUCH appreciated.

Thanks

mikl · November 24, 2009, 11:10am

You are aware that there’s a CDbHttpSession component, aren’t you?

Just configure it as your session component in main.php.

dckurushin · August 26, 2011, 11:20am

Don’t know if I should open new topic…

But if I check uniq id i generate at login + ip + user_agent…

Should I warry for session fixation?

System I build envolve money… so it must be secure …

For now I use autologin, but it is a little bit scary…