Secure Session

redguy · January 27, 2011, 1:23pm

I have written class that provides more security in handling standard sessions. It extends basic CHttpSession and stores in session itself hash value of useragent id (browser id) and part of source ip. When this hash does not match at some request - exception is thrown. This security protects from session cookie stealing to gain privileges.

There are extensions that to similiar thing but only for DbSession (MyCDbHttpSession). My extension works on every standard session. You can even extend it to provide own session handling methods just like you could do with CHttpSession.

Configuration is very simple, just configure session in main config file:




'session' => array(

  'class'=>'application.components.CSSafeSession',

  'compareIp'=>true,

  'ipBlocks'=>3,

  'compareAgent'=>true

),

redguy · January 27, 2011, 1:25pm

Attaching the file…

crain · February 6, 2011, 1:19am

I tried it but got the following error message:

Property "CWebApplication.session" is read only.

redguy · February 15, 2011, 2:46pm

That is very strange… which version of Yii you use? Could you provide callstack with full exception message as a priv message (extracted from application.log)?

redguy · February 15, 2011, 2:51pm

Ahhh, I know - did you put this configuration in "components" section (where it should be)? It should be like this:




...

'components'=>array(

   ...

   'session' => array(

      'class'=>'application.components.CSSafeSession', // or just CSSafeSession as application.components is in search path by default

      ...

   ),

   ...

),

...

jeremy · March 26, 2011, 8:55pm

Why not publish this as an Extension ? it would be very helpful.