I’m bulding a website with a “Favourite item” function. It’s a simple button the user pushes to store the item in his favourites ones. So, it works with ajax.
I started to build my actions, and suddenly, I realised that anyone posting any user id and any item id to this action could add or remove favourites from any user…
So of course, I though that I had to generate a form with a model, so I do for regular forms, but submitting in ajax.Until now, I never worried about this kind of problems, and when submiting a form I checked the user identity inside the controler, or thanks to the RBAC functions. But then, I realized I just don’t know or understand how yii2 is checking user identity from posted forms… I just trust Yii2.
So I had a look to the generated HTML, and seen that the forms add an hidden _csrf token field. Is this what is used to check user identity from a posted form ?
[b]How would you do yourself to generate an ajax form containing the necessary informations to check the user identity on the server ?
identity is stored in session. in yii it’s better to access it through \Yii::$app->user
connection between server and client is made via session id that is stored as cookie on client. server can serve session on different media - file, db, cache, webservice etc… by default webserver makes file for each session at some place (making possible for session spoofing )
unless you provide webservice for distributed apps, you do not need to put identity to check user as you have full access to session and make check on server side
csrf stands for cross side reference - xss attack
easiest way to add access check via behavior AccessControl in controller
class SiteController extends Controller
{
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(), <------------ THIS ONE
'only' => ['login', 'logout', 'books'],
'rules' => [
[
'allow' => true,
'actions' => ['login', 'books'],
'roles' => ['?'] // guests
],
[
'allow' => true,
'actions' => ['logout', 'manage'], //TODO: rule author
'roles' => ['@'] // users
],
]
]
];
}
public function actionLogin() <--- DO YOUR STUFF
{ . .. .
so the question is : are the session informations transmited to the server when doing an ajax call ?
I’m reading that :
github (I can’t post urls…) yiisoft/yii2/blob/master/docs/guide/rest-authentication.md
And it seems to me that when you’re using ajax actions on a yii2 site (wich is kind of RESTapi right ? ), you MUST implement “findIdentityByAccessToken”; right ?
If I undersand what I’m reading, I must add a token table to the user table, and then send this token by the ajax request, and then inside the controler get the identity of the user thanks this token. All the operation being secure if and only if HTTPs is used to encrypt the token.
Am I right ? Or is ther an easier way to check user identity from an ajax call ?
AJAX call is nothing more than regular call from client behind scene (no page refresh). REST used for APIs as they utilize http headers as action description (gives clean urls)
session information IS NOT transmitted, only user’s session id is stored in cookie. that’s how user is recognised. if you don’t provide additional check
to make identity usage you must create your own class to handle it by comply with interface like below
namespace frontend\models;
class Users extends ActiveRecord implements IdentityInterface
{
)