Hi all,
I’m trying to write an app which works with the database, and my idea is to engage DB authentication mechanism, so that users simply use their DB username/password to authenticate, and I don’t have to maintain user list elsewhere.
In this situation I have to persistently store both the username and the password for subsequent DB queries.
The CWebUser doc page says:
Now, the question:
Is Yii::app()->session the right place for this information, ie. is it safe enough?
Yii::app()->session is simply a wrapper for $_SESSION which is different from CBaseUserIdentity::setState. CBaseUserIdentity::setState will store persistent data in the cookie, given autoAutoLogin (=Cookie based login) is enabled.
Obviously keeping the actual password in the cookie is a very bad idea.
I think the guide is pretty clear on that
Thanks for this explanation.
So, back to the original question, is $_SESSION (a.k.a. Yii::app()->session) safe for password storage?
Sessions are stored on the server side, so, yes an attacker won’t have access to it.
But you have to realize that sessions are kept alive with cookies, - the session info is kept in the cookie. (actually sessions can also be kept alive by appending session ID to site urls, but most of the times use_only_cookies is enabled). This means that an attacker can steal the cookie and hijack the session. To prevent this you have to expire sessions and regenerate them depending on what level of security you require.
http://www.yiiframework.com/doc/guide/1.1/en/topics.security#cookie-attack-prevention
Is it correct to update Yii::app()->db->username/password from the session in CWebUser::afterLogin() if $fromCookie==true? I mean, is it the right place to do it?
As has been told, sessions are lost once a user closes his browser\sings out\deletes cookies. This means with auto-login by default a user will only have his name restored, you will have to take care of fetching all the necessary information back into the session from the db.