Hi everyone,
I’m a PHP dev who rarely works in Yii (though I like it) but I’ve been asked to look into a security issue with a Yii 1.1.15 site that was built by another agency.
Essentially, there’s an admin component. When you login successfully, three cookies are created. I understand these to be CSRF, PHP session ID and Yii identity cookie. That’s my understanding at least.
If you copy those cookie keys and values and logout. You can do a remote cURL post request that is accepted by Yii. You can’t however, navigate to that area in a browser.
So some portion of the logout is working correctly but not all. The logout method looks like this, which after researching, I believe is correct.
public function actionLogout() {
Yii::app()->user->logout();
$session = Yii::app()->session;
$session->close();
$session->destroy();
$this->redirect( array( '/' ) );
}
The accessRules look like this
public function accessRules() {
return array(
array(
'allow',
'actions' => array( 'login', 'logout', 'action', 'reset', 'forgot' ),
'users' => array( '*' )
),
array(
'allow',
'actions' => array( 'index', 'register' ),
'expression' => '$user->getIsAdmin()',
),
array(
'allow',
'actions' => array( 'profile', 'password' ),
'users' => array( '@' )
),
array(
'deny',
'users' => array( '*' )
)
);
}
Which appears correct as well. Is this a core Yii bug perhaps? If so, is it a known bug?
Thanks for your assistance!
Best,
Wilson