What about session security?

lethargy · January 2, 2011, 1:57pm

Does Yii implement any security to prevent session hijacking? Some of the basic stuff would be:

Regenerate session id every once in a while
Session expiration (not just relying on the session cookie)
Checking whether user agent is still the same etc.

Anyone done this before in Yii?

So if I wanted to make my own session security in Yii, where would be the best place to do this?

samdark · January 2, 2011, 5:56pm

http://www.yiiframework.com/doc/guide/1.1/en/topics.security

tofan.andrei · February 21, 2012, 5:43pm

You can prevent session hijacking by making the session cookie httponly which can’t be read using javascript (xss).

protected/config/main.php




'components' => array(

    'session' => array(

       'cookieParams' => array(

            'httponly' => TRUE

        )

    ),

),

za_al · July 21, 2012, 12:17pm

very usefull link tanks

twisted1919 · July 21, 2012, 12:40pm

also: http://www.yiiframework.com/extension/session/

Zugluk · April 8, 2013, 9:31am

Is it more secure to use cookie or session in order to store user/admin roles to check on every page ??

For moment I use sessions where I store, at connection, user roles. But I read a lot of things about cookie security, not many for sessions, so that’s why I wonder.