The hashing of the password presented in the tutorials only helps against server compromise (DB theft), not against network sniffing. Https is not an always an available option, especially for virtual hosts.
As far as I understand there is no way to prevent a "playback attack" on the user authentication, with the default mechanisms. It would be helpful to enrich the framework with a challenge-response algorithm implementation. It could be as simple as including a client-based MD5 javascript implementation, and a server-based challenge-key generator, or use something better than MD5.
Passwords would then have to be stored plaintext on the server, but:
-if yii is secure enough to prevent against sql injection and other vulnerabilities this wouldn’t be an issue
While such a feature might be nice, I don’t see that it would be necessary for the core. I think think it should be relatively easy to implement an extension for this.
Otherwise, one thing I have wondered about (but haven’t researched) is whether it wouldn’t be possible to do a secure Javascript login by having the client use public key encryption in javascript before sending the encrypted password to the server - basically, is it possible to do public key encryption using Javascript?
There is jcryption.org. But it doesn’t replace https since javascript cannot access the browser’s stored certificates for once. Moreover ajax requests can only be performed on the same origin as the http(s) request so you can’t either query a “local” certificate server. In short you won’t have server authentication.
