Security implications with CWebUser

Hi donFuego, do not worry much about the -1 as I received aroun 15 down votes due to spammers in the past. There is nothing to do with the people here… I think there is a post where moderators explained that

I solved this problem by bypassing certain functions of CWebUser. I use the login functions as recommended but with my own password encryption (sha256 with salt and user email in it), I added a function for temporary passwords on password reminder, block the user, if he tries to access his account with a wrong password more than 5 times for 5 minutes*tries and and i love to work with flashes for error messages. Another reason is, that I want to enable login if cookies are disabled. I rewrite all urls with my own function and add the session id to the url if necessary (or strip and add it again). For security reasons I bind the session id to the ip and the user agent and clean all external urls from the referrer.

But I don’t use the auto login feature by default and save all states only in the session. I use the authmanager only for admin features, because I don’t want the user to show a non helping forbidden error. I use simple if constructions in controller functions and save the error message to flash and redirect the user from the forbidden page to the member index. In my opinion, this is much more userfriendly as I can describe the error reason better. And for me, chance is higher to forget the denys in the authmanager than in the controller functions.

I think, this is the idea of a framework. It should support the programmer and should not tell him, what to do. Yii makes a really good job with security problems, but I’m to paranoid to use just the basic model. And in germany we have some minimum goverment recomendation, e. g. not mailing the password, that I want to follow.

++ that!

There is a good community here, a few elitists if you like but mostly everyone is helpful. FWIW I think the +1 -1 ranking thing should be scrapped it just causes hard feelings. But if it is retained the identity of the person giving thumbs up or thumbs down should be public.

@donfuego don’t give up on us yet!

doodle

elitism? like how?

I find these forums are extremely friendly, and the dev team extremely responsive when problems and concerns are brought to their attention.

I wonder who gave you a -1, and for what - I poked through your posts and definitely didn’t find anything ignorant or offensive… You use a serious tone and make reasonable valid arguments… Please don’t ditch Yii (and us) because of one bad experience on the forums - you’ve been here for less than a month and made only a few posts. Whatever this is, I’m sure it’s a simple misunderstanding.

And you’ll be missing out on the best framework and one of the best forums there is for PHP frameworks :wink:

agree 100% on both points!

I love the way stackoverflow does it, for example…

Hi guys and thanks for your comments. I’m sorry, I usually don’t flare up like that. I guess I must have had a really bad day :) I’m all new to web programming although I’ve been programming computers for ages (literally). I guess I’m a bit oldskool in my programming and taking on a (for me) brand new concept/framework can be a bit overwhelming. I must admit I really like Yii though and now I’m slowly starting to grasp it bit by bit. I’ve actually managed to get pretty much where I wanted with my first try, although it took a lot of head scratching.

So, now… Is it safe to use Yii::app()->user->setState() or not? ;)

I get an extreme headache, if I think about saving plain userdata to a cookie. At least, you should use the suhosin patch with your php.

http://www.hardened-php.net/suhosin/configuration.html#suhosin.cookie.encrypt

It’s only safe to store non-sensitive data on the client. I would not personally recommend attempting to store sensitive encrypted data on the client-side either, if by any means avoidable.

Store only temporary keys etc. - then retrieve the data on the server-side, as needed.

That’s my advice.

Quick tip - if you have the user ID stored, you can do something like this:




class WebUser extends CWebUser

{

  protected $_model;

  

  public function getModel()

  {

    if (!isset($this->_model))

      $this->_model = User::model()->findByPk($this->getId());

    return $this->_model;

  }

}



Configure this application component as ‘user’, and you can do something like echo Yii::app()->user->model->firstName etc. - this makes the model easily reachable from anywhere, and it will late-load when needed.

A straight PK query is nothing to worry about in terms of performance…

Guys,




Yii::app()->user->setState() 



does not save data into a cookie but to the session only! Only data set from CUserIdentity (which is not Yii::app()->user) during authentication and also only if allowAutoLogin is set true will be saved to a cookie!

I agree. Thanks for the tip.

That I fully agree with. What I still don’t understand however, is whether Yii::app()->user->set/getState() is client or server side. From the earlier posts in this thread it seems to depend on many factors. Now this is an old thread and I haven’t found any recent discussion on this topic so I reckon this ‘problem’ might have been solved, perhaps by suggesting another method?

Sessions are always server side. Only cookies are stored on the client.

… and if you still don’t trust CWebUser::setState() then don’t use it and access Yii:.app()->session instead.

Thanks Mindplay! That was an eye opener. I would never have thought of doing it like that.

Ah yes, I remember reading about using a sessions object, which to me seems to be a more “clean” way than using app()->user but then I got caught up in this cookie vs session mixup :) Also thanks for clearing out the CUserIdentity confusion.

there’s a lot of caveats with the user identity API - “if you do this, then that happens”, etc… personally I would have opted for something more transparent, but that’s an old debate, and I since I don’t have the time to contribute a more concrete idea, I should probably just shut up and love it.

it does seem to be a “popular” topic though - perhaps the documentation could be improved, or perhaps it’s difficult to write good documentation because the architecture as such really isn’t very easy to understand…

Well, as a newbie I’ve found it very confusing. Perhaps the documentation (I’m especially thinking about the “Definite Guide” which I guess most newbies go through) could describe how to use CHttpSession to store session-data. Thus people (like me) would not end up in this CUserIdentity dead-end while searching for answers ;)

Also, what brought me into using user->setState() in the first place was the Blog Tutorial if I remember correctly. It could perhaps mention why they use that method instead of CHttpSession. Is it just because it’s easier? I for one would like to know :)

Just my 5c.

Personally i see Yii::app()->user->setState()/getState() as simple wrapper for the session (have a look at the simple implementation in CWebUser). I use it only because it feels more natural from an OOP perspective: for me session data is always related to the current user. And i admit i’m often not sure if i have to open() the session first. Using this method I don’t have to care about that.

Yii::app()->session (which is a CHttpSession by default) to me is rather a component that’s used to configure the session and provides access method just for completeness (which is only my personal opinion!)

In the end, all these methods are equivalent, even if you have configured another session component like CDbHttpSession:




$_SESSION['mykey']='myval';

$x=$_SESSION['mykey'];


Yii::app()->session['mykey']='myval';

$x=Yii::app()->session['mykey'];


Yii::app()->user->setState('mykey','myval');

$x=Yii::app()->user->getState('mykey');



Mike, that is the best explanation I’ve heard - this explanation ought to be in the guide, although as you said, it’s just how you view it, I think that’s a very reasonable way to view it.

If it were phrased as “you can think of CWebUser as…” etc., I think it would be great to have this in the guide… (I’m going to guess that’s really how most people end up viewing it in the end, but even if that’s now how everyone ends up viewing it once they have some experience using it, it’s still a point of view that is easy to understand, and should help newcomers get started)

Thanks, mindplay. I once opened a ticket for this:

http://code.google.com/p/yii/issues/detail?id=747

Even though the guide was improved it still seems to lack some more detailed information/examples. So maybe just add a comment there and ask Jeff to add it to the guide. Maybe some native speaker can even suggest some sentences …

…together with…

…should be expressed in the Definite Guide to Yii. That would have spared me and hopefully many others a lot of time and frustration.

Meanwhile lets hope people like me find this thread. Thanks for shedding light on this issue. I feel comfortable to go on using Yii::app()->user->set/getState() now and I also know what options I have. Thanks guys!!

[b]

thumbs up[/b]