Yii Framework Forum: How safe is setState? - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

How safe is setState? Rate Topic: -----

#1 User is offline   ding0 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 5
  • Joined: 25-March 09

Posted 27 August 2009 - 10:14 AM

I need to store some user informations, which I use in querying the db.

But I can see that the informations stored like
$this->setState('Email', $user->Email);
are sent over the network with cookies.

If the user changes the cookie, will the "Yii::app()->user->Email" be altered on the server?
If yes, how can I make this more secure/safe? (The user must have the posibility to autologin)

Thanks
0

#2 User is offline   pestaa 

  • past Yii dev member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 705
  • Joined: 07-May 09
  • Location:Hungary

Posted 27 August 2009 - 01:39 PM

If you enable session component, states will be stored server-side.

HMAC calculation will be included in the cookie, once it is modified, the server refuses to use that cookie (the user will be logged out).

Does this answer your question?
0

#3 User is offline   ding0 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 5
  • Joined: 25-March 09

Posted 27 August 2009 - 02:18 PM

View Postpestaa, on 27 August 2009 - 01:39 PM, said:

If you enable session component, states will be stored server-side.

HMAC calculation will be included in the cookie, once it is modified, the server refuses to use that cookie (the user will be logged out).

Does this answer your question?


I have found that there was a post about this subject here (although a have searched and researched the forum :) ): link

I have extended CWebUser and I'm using Yii::app()->session['...'] to store the values. All work fine as far as I can see.
What do you mean by "enable session component"? Isn't enabled by default?

Thanks for the quick answer!
0

#4 User is offline   pestaa 

  • past Yii dev member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 705
  • Joined: 07-May 09
  • Location:Hungary

Posted 27 August 2009 - 02:53 PM

Quote

What do you mean by "enable session component"? Isn't enabled by default?


No, it's not. You can enable it by configuring session component in your configuration array. Set 'class'=>'CDbHttpSession' to let Yii control everything.

Once it is turned on, you can use setState without sending data out in cookies.
0

#5 User is offline   samdark 

  • Having fun
  • Yii
  • Group: Yii Dev Team
  • Posts: 3,308
  • Joined: 17-January 09
  • Location:Russia

Posted 27 August 2009 - 04:14 PM

So using CDbHttpSession and "remember me" Yii will not send state data in cookies?
Yii 1.1 Application Development Cookbook

Enjoying Yii? Star us at github: 1.1 and 2.0.
0

#6 User is offline   auxbuss 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 164
  • Joined: 14-July 09
  • Location:Malvern, UK

Posted 27 August 2009 - 04:25 PM

I understand the OP's concern. I wondered what the rationale is behind disabling server side session storage. Other than the data mining crowd, I haven't seen anyone use cookies, except sessions cookies, for... well, I can't remember the last time. If it's just ffor "auto login", it's a high price to pay, imo.

Regardless, ding0, don't revert to globals, that's worse.

If you are using a database (id db in this case), then add the following to main.php and sessions will be stored in a table called YiiSession. It's so easy, and there's no work involved.

'session' => array(
    'class'=>'CDbHttpSession',
    'connectionID'=>'db',
),

Alternatively, use CHttpSession -- which I believe should be the default; I don't care about "auto login", my browser will do that for me.
0

#7 User is offline   auxbuss 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 164
  • Joined: 14-July 09
  • Location:Malvern, UK

Posted 27 August 2009 - 04:30 PM

View Postsamdark, on 27 August 2009 - 04:14 PM, said:

So using CDbHttpSession and "remember me" Yii will not send state data in cookies?

The "remember me" cookie should be separate from the session data (which in my opinion shouldn't be in a cookie in any case).
0

#8 User is offline   pestaa 

  • past Yii dev member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 705
  • Joined: 07-May 09
  • Location:Hungary

Posted 27 August 2009 - 05:26 PM

If I don't explicitly want it to use session, then it shouldn't. Still, there must be a way when I can store user related information. If I don't provide storage, it should use whichever has the most accessibility.

Generally, it is a wrong idea not to take advantage of sessions.

If you specify 'connectionID', your session data will appear in your primary database. I don't want to see in my backups, so I just leave that out and let Yii use runtime folder to create sqlite db.

Quote

I don't care about "auto login", my browser will do that for me.

It actually won't. If there is a checkbox saying 'remember me', I always tick that. Saves me one click on every website I regularly use. Saves me thousands of clicks in each month.
0

#9 User is offline   auxbuss 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 164
  • Joined: 14-July 09
  • Location:Malvern, UK

Posted 28 August 2009 - 02:50 AM

View Postpestaa, on 27 August 2009 - 05:26 PM, said:

If I don't explicitly want it to use session, then it shouldn't.

It's a design choice. Sessions are safer, so the better design choice.

Quote

Still, there must be a way when I can store user related information. If I don't provide storage, it should use whichever has the most accessibility.

Nope, it should be the one that best fits the requirements.

Quote

Generally, it is a wrong idea not to take advantage of sessions.

I agree. That's what I said.

Quote

If you specify 'connectionID', your session data will appear in your primary database. I don't want to see in my backups, so I just leave that out and let Yii use runtime folder to create sqlite db.

That's a design choice. But equally, if you don't want it in your backups, then don't back it up!

Quote

It actually won't.

Well, actually, it will.

Quote

If there is a checkbox saying 'remember me', I always tick that.

Me too. Never said I didn't.

Quote

Saves me one click on every website I regularly use. Saves me thousands of clicks in each month.

You're looking at things through your usage. People behave differently. Give people choices, don't make it all or nothing.
0

#10 User is offline   pestaa 

  • past Yii dev member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 705
  • Joined: 07-May 09
  • Location:Hungary

Posted 28 August 2009 - 03:18 AM

View Postauxbuss, on 28 August 2009 - 02:50 AM, said:

It's a design choice. Sessions are safer, so the better design choice.

But this is a choice all developers should make. It is not the framework's job.

Quote

Nope, it should be the one that best fits the requirements.

Yes, and a disabled session won't fit the requirements.

Quote

But equally, if you don't want it in your backups, then don't back it up!

It is convenient for me not to deselect one table each time I do a backup. Just hit save and I'm done. ;)

Quote

> If there is a checkbox saying 'remember me', I always tick that.

Me too. Never said I didn't.


You said you don't care about 'auto login'. I interpreted this as you don't configure that option.

Quote

Give people choices, don't make it all or nothing.

People hate to decide and especially hate to think. I keep the numbers of choices as low as possible.
0

#11 User is offline   auxbuss 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 164
  • Joined: 14-July 09
  • Location:Malvern, UK

Posted 30 August 2009 - 06:55 AM

View Postpestaa, on 28 August 2009 - 03:18 AM, said:

But this is a choice all developers should make. It is not the framework's job.

Of course not. Who said otherwise?

Quote

Yes, and a disabled session won't fit the requirements.

No shit! If that's what is required.

Quote

It is convenient for me not to deselect one table each time I do a backup. Just hit save and I'm done.

Compromising design decisions for such reasons is lame.

Quote

You said you don't care about 'auto login'. I interpreted this as you don't configure that option.

Maybe I do, maybe I don't. It depends on the requirements. What I do is ensure that this particular functionality is provided by its own cookie.

Quote

People hate to decide and especially hate to think. I keep the numbers of choices as low as possible.

Your premise is nonsense. I would qualify the second part by adding the word "essential".
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users