User ID in session data

GSTAR · December 21, 2010, 3:54pm

I set up my UserIdentity class as per: http://www.yiiframework.com/wiki/6/

So in my app I now have lots of this:


$content=Content::model()->find('user_id=:user_id', array(':user_id'=>Yii::app()->user->id));

Now I know this user ID is being stored in the session, but does this mean it is being stored in a cookie?

And if so, that must mean it is easy to modify, so somebody could change the ID. How can I prevent these kind of things?

gusnips · December 21, 2010, 4:00pm

This seens to resolve, since it keeps its data in the database




'components'=>array(

//...

    	'session' => array(

        	'class' => 'system.web.CDbHttpSession',

        	'connectionID'=>'db',

    	),

GSTAR · December 21, 2010, 10:22pm

I’m not after a DB session handler. I just want to know how to secure my User ID variable in normal session.

islands · December 22, 2010, 3:46am

Under normal circumstances, the only thing in the client cookie is the session id. This cookie is, by default, called PHPSESSID when using PHP’s session mechanism. It is passed to the client in the HTTP header and sent on each request to uniquely identify the client to the server and allow for persistence between page visits.

The actual session data is stored only on the server (not in a client cookie) and controlled by your server side scripting code, so the security of that data is contingent upon the quality of security implemented on your server. The client sends an HTTP request, and PHP or Yii will read the cookie session id, and use that to associate that with the private server session data.

Hope this helps.

GSTAR · December 22, 2010, 11:26am

Thanks man. So I can still safely use ‘allowAutoLogin’?

jacmoe · December 22, 2010, 3:35pm

Islands is right: that’s how it’s usually done.

GSTAR · January 13, 2011, 10:34am

I think the whole login and roles functionality of Yii is not very well implemented - just my personal opinion!

Having read this topic: http://www.yiiframework.com/forum/index.php?/topic/14903-a-few-questions-about-the-login-process/

Things are now more confusing!

Anyway if I turn off allowAutoLogin, then that presumably turns off cookie usage. What if you want to use allowAutoLogin but store session data in a server session?

I prefer not to store any temporary data in a DB table.

GSTAR · January 19, 2011, 10:44am

Bump. Any thoughts anyone? What I’m saying is, I want to use allowAutoLogin - which will save the login in a cookie so that the user doesn’t keep getting logged out - but I want to store sensitive data (data stored via setState) in the server session (the way it does when you turn off allowAutoLogin). Can we do this?