What about session security?

Does Yii implement any security to prevent session hijacking? Some of the basic stuff would be:

  • Regenerate session id every once in a while

  • Session expiration (not just relying on the session cookie)

  • Checking whether user agent is still the same etc.

Anyone done this before in Yii?

So if I wanted to make my own session security in Yii, where would be the best place to do this?


You can prevent session hijacking by making the session cookie httponly which can’t be read using javascript (xss).


'components' => array(

    'session' => array(

       'cookieParams' => array(

            'httponly' => TRUE




very usefull link tanks

also: http://www.yiiframework.com/extension/session/

Is it more secure to use cookie or session in order to store user/admin roles to check on every page ??

For moment I use sessions where I store, at connection, user roles. But I read a lot of things about cookie security, not many for sessions, so that’s why I wonder.