Session security question

Yii 1.1 General Discussion
1

Hi everyone.

This is my first post.

I have been using Yii for about 6 months.

I have a question about Yii sessions and how they are used to track login status.

Consider the folowing code :


<?php


        echo "<pre>";

        print_r($_SESSION);

        echo "</pre>";


?>

when user is logged in, this outputs :




Array

(

    [f0cbf2f89cd6912637d16c3de5031ac5__id] => 2

    [f0cbf2f89cd6912637d16c3de5031ac5__name] => user

    [f0cbf2f89cd6912637d16c3de5031ac5__states] => Array

        (

        )

)

Now if I write this code :


        


$_SESSION['f0cbf2f89cd6912637d16c3de5031ac5__name']='admin';

$_SESSION['f0cbf2f89cd6912637d16c3de5031ac5__id']=1;

This logs in the user as an admin.

My question is this : What is the "f0cbf2f89cd6912637d16c3de5031ac5" part?

How is this ID generated?

This seems to be constant and does not change from one browser to the other, and from one computer to the other.

Isn’t this a security flaw?

Thanks for your help!

2

It’s not a security flaw unless you open $_SESSION up to outside input. There isn’t a way to modify what is in $_SESSION unless the server is already in some way compromised.

This is even if that is a constant, I don’t know how that hash is generated.

3

Hash is generated to prevent collisions: http://www.yiiframework.com/doc/api/1.1/CWebUser#getStateKeyPrefix-detail

You can change it by setting CWebUser.stateKeyPrefix.

4

Thanks for the anwser!