Yii 1.1: session

An enhaced version of CDbHttpSession which extra checks for Full Ip Address/Partial Ip Address and User Agent
27 followers

This extension does some extra security checks on the user IP address and User Agent. It is fully customizable and you can enable/disable the checks when you need. If no extra check is enabled, then the default behavior is exactly the same as the original Yii CDbHttpSession Class.

Beside the configuration options provided by original Yii CDbHttpSession Class, this extension provides following 3 options:

1)compareIpBlocks- (integer) How many blocks from the ip address should be compared (defaults to 0). It has an effect only if the value is > 0 and compareIpAddress is set to true.
2)compareIpAddress - (boolean) If the client ip should be checked.  
3)compareUserAgent - (boolean) If the User Agent should be checked.

Requirements

Yii 1.1 (checked with Yii 1.1.5)

Usage

You need to add MyCDbHttpSession.php file into your components directory, then edit your config file, main.php in the components area like:

'session' => array(
            'class' => 'application.components.MyCDbHttpSession',
            'connectionID' => 'db',
            'sessionTableName'  =>  'TABLE_NAME',
            'autoCreateSessionTable'   =>  true,
            //Extension properties
            'compareIpAddress'=>true,
            'compareUserAgent'=>true,
            'compareIpBlocks'=>0
            ),

Be careful at the option "autoCreateSessionTable", after you create your table, set it to false.

The table structure:

CREATE TABLE IF NOT EXISTS `{$tableName}` (
          `id` char(32) NOT NULL,
          `ip_address` int(10) unsigned NOT NULL DEFAULT '0',
          `user_agent` char(32) NOT NULL,
          `expire` int(11) DEFAULT NULL,
          `data` text,
          PRIMARY KEY (`id`)
        ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

You can change the engine to MyIsam if needed, i like Inno better so it is my default choice.

This class has been tested, but it would help if i can get some feedback.

Changelog

SQLite Version 1.3
Thanks to thiromi who sent me the version for SQLite and confirmed that the changes he did, works as they should.

Version 1.3

  • fixed the bug when users couldn't stay logged in if "remember me" option wasn't checked. Thanks @cesig.

  • Note, only Version 1.2 suffers this bug, 1.1 and 1.3 are okay.

Version 1.2

  • dropped the usage for bindValues() as it caused problems for some users.

  • added setters and getters for component properties.

Version 1.1

  • Changed the database table structure for the ip_address field into unsigned int(10) for mysql inet_aton() and inet_ntoa() compatibility

    • Changed the database table structure for the user_agent field into char(32)

    • Changed the way how user agent is stored, now it is a md5() of the entire user agent string

    • minor code tweaks

Total 20 comments

#19514 report it
Mike Kimani at 2015/08/13 08:53am
Oracle Support

Does this Component support oracle queries? tried it and run into so many syntax query errors.

#18381 report it
Deepak Pradhan at 2014/10/22 12:24pm
Good Logic

I like what you are trying to do in method 'writeSession'

#14730 report it
surajk at 2013/09/06 08:52am
issue solve

Thank you for your guidance

#14729 report it
twisted1919 at 2013/09/06 06:08am
@surajk

You should always access your components by using Yii::app()->componentName not creating an instance of it.
In your example:

$session = new CHttpSession;

will create a new CHttpSession which has nothing to do with the session class i provided.
Instead you should configure your session component in main.php then access it with

Yii::app()->session;
#14728 report it
surajk at 2013/09/06 06:03am
issues once configure

gr8 work!!

but, once I configure with my application, accessing data through session not working before user login... following code not working :-

$session = new CHttpSession;
    $session->open();

I also tried with following code :-

$session = new CDbHttpSession;
    $session->open();
#4395 report it
twisted1919 at 2011/07/05 05:00am
ipv6

It lacks ipv6 support mainly because as far as i know, not even mysql can handle ipv6 in an integer format (i believe you need 2 big int fields to do it) right now. The solution, would be to store the ip in a varchar/char field instead of translating it in an integer.

#4376 report it
Nic Anji at 2011/07/01 02:25pm
IPv6 Support?

Great component!

But... How to set IPv6 support?

#4354 report it
twisted1919 at 2011/06/28 08:48am
...

@jeanluca - using the ip check is optional, you can disable it anytime, but can be very handy when you are using some kind of voting system based on the user data(this is the only example that comes in my mind now, i am sure there are many more) :)

#4124 report it
jeanluca at 2011/06/08 07:44am
changing IP address

From my understanding, the IP address can vary with each request (firewalls, proxy). So, isn't it just better to omit that field/functionality ?

Cheers Luca

#2624 report it
Gustavo at 2011/01/24 12:42am
Thanks

Im using it and works perfectly

#2569 report it
twisted1919 at 2011/01/18 06:39am
Bug fixed.

The bug was fixed and i tested it. Everything is working well now even if you check/unckeck "remember me" option. Thanks cesig for pointing this out, the bug was inserted with Version 1.2 update, so who has 1.1 or 1.3 is bug free.

#2568 report it
twisted1919 at 2011/01/18 06:20am
fixing it

Actually yes, you where right, there seems to be a bug, i will fix it asap.

#2567 report it
twisted1919 at 2011/01/18 06:13am
nope, no bug

No bug, you should read the the guide explaining the Yii auth mechanism.

#2566 report it
cesig at 2011/01/17 07:49pm
Figured part of it out

I had to check the 'remember me next time' box in order for the login to stick.

Is that a bug?

#2565 report it
cesig at 2011/01/17 06:51pm
Instructions?

I'm not sure what's going on now, but I've added the code from your post, and now log-ins don't stick. It's recording information to the sessions table, but it never says I'm logged in.

As soon as I do log in, the link immediately says "Login" instead of "Logout (username)"

Any idea why?

#2560 report it
twisted1919 at 2011/01/17 01:26pm
Simple.

Hi cesig, Well, this component extends the default Yii one, so all you have to do, is to copy the MyCDbHttpSession into your /components folder, then open config/main.php and right after the database component, add following lines:

'session' => array(
            'class' => 'application.components.MyCDbHttpSession',
            'connectionID' => 'db',
            'sessionTableName'  =>  'Your table name',
            'autoCreateSessionTable'   =>  true,
            //Extension properties
            'compareIpAddress'=>true,
            'compareUserAgent'=>true,
            'compareIpBlocks'=>2
        ),

Then, after the seession table has been created, set autoCreateSessionTable to false.

This should be enough, if u have further questions, let me know.

#2558 report it
cesig at 2011/01/17 01:12pm
Instructions?

This component looks very useful, but I don't see any instructions. How do you use this thing?

#2556 report it
twisted1919 at 2011/01/17 11:29am
Okay.

Thanks for the heads up on 1.1.6 version, i wasn't aware of the update.

Anyway, i dropped the usage of bindValues(), so right now it should work okay, maybe you can try it and let me know .

Thanks .

#2555 report it
Maciej Liżewski at 2011/01/17 11:15am
bindValues

I have just noticed there is version 1.1.6 available as "current stable" (published yesterday). With this version there is no problems with "bindValues".

#2554 report it
twisted1919 at 2011/01/17 10:55am
Sure, why not.

Okay, it makes sense, i will rewrite the component using multiple bindValue calls, so that this ain't going to be a problem anymore.

Though, the issue is bothering me, it should work for everybody having yii 1.1.5

Leave a comment

Please to leave your comment.

Create extension