Yii Framework Forum: Allow autoLogin and security - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Allow autoLogin and security Rate Topic: -----

#1 User is offline   KJedi 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 381
  • Joined: 19-October 08
  • Location:Nikolaev, Ukraine (Europe)

Posted 28 March 2009 - 02:07 AM

I need to implement 2 features:
1) Allow users to log in automatically
2) Restrict users to send not more, than 10 "tell a friend" messages.

I was using setState()/getState() for that. But that is insecure, one can substitute tafNum variable in cookie and spam. What can be done here? Where is it better so store such variables?

Additional question - how to control the session length? Is it possible to control max length and max inactivity length?
0

#2 User is offline   qiang 

  • Yii Project Lead
  • Yii
  • Group: Yii Dev Team
  • Posts: 5,901
  • Joined: 04-October 08
  • Location:DC, USA

Posted 28 March 2009 - 08:10 AM

Information stored using setState() cannot be modified by users. If they do, the modification will be detected and the cookie will be invalidated.

Please refer to PHP doc for session-related configuration.
0

#3 User is offline   KJedi 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 381
  • Joined: 19-October 08
  • Location:Nikolaev, Ukraine (Europe)

Posted 28 March 2009 - 10:37 AM

Just for reference for those who want to control session length:
http://www.yiiframew...Session#timeout
0

#4 User is offline   gregghouse 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 25-March 09
  • Location:Bielsko-Biała, Poland

Posted 12 June 2009 - 03:13 AM

Hi,

Didn't want to start a new post on that, and saw the last comment here about the CHttpSession's timeout property, which is what i need.
I'm trying to change session timeout from default (1440) to let's say 86400.
The server runs on linux and hosts multiple sites so i need to change also session savepath to 'my path' to disallow default shorter gc from removing my session.
The only way i've managed to do that is by setting
php_admin_value session.gc_maxlifetime 86400
php_admin_value session.save_path /tmp/mysite

When I tried to change CHttpSession object properties it didn't give any results, the session object was changed only within the current request, and after redirect the session properties were still default (1440, /tmp).

Does someone know what did i forget or did wrong ?

Cheers
greg

ps. code i used was in the LoginForm authenticate handler function:

Yii::app()->session->setTimeout(86400);
Yii::app()->session->setSavePath(Yii::app()->session->getSavePath().DIRECTORY_SEPARATOR.'mysite');

0

#5 User is offline   Boaz 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 367
  • Joined: 23-January 11

Posted 23 April 2012 - 02:22 PM

Just needed to alter the lifetime of session in my Yii app as well and saw this old thread. For what its worth, I've written a blog post on session lifetime configuration in PHP that is still relevant. I recommend its reading as it summarizes pretty much everything one need to know to fully and securely command his PHP web app session lifetime. Here's the post.
Therapeutic PHP sessions My LinkedIn Profile
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users