Yii Framework Forum: Any Way To Store User Data Safely? - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Any Way To Store User Data Safely? Rate Topic: ***** 1 Votes

#1 User is offline   Pouria 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 3
  • Joined: 29-June 13
  • Location:Tehran, Iran

Posted 29 June 2013 - 02:30 AM

Hi there,
I'm creating a website that doesn't require advanced role systems(RBAC), but just a few user roles.
I found this post, which describes how to create a simple role system and store the user's role in Yii::app()->user->role.
But the problem is everything which is set by setState(), is stored in plaintext in cookies if you check the 'remember me' checkbox on login page. The author hasn't mention this in the article.
So i searched for a solution and found these two posts(How safe is setstate?, setState). They have suggested to enable the session component to store session data in database.
However this doesn't change anything either.
With session component TURNED ON:
When i login whithout remember me, i get one PHPSESSID cookie.
When i login whith remember me, i get two cookies: a PHPSESSID and another cookie with my data in it in plaintext. here is the cookie:2ebcd97e79d5a45eedb2aa5f5a75b4df74cbb3e7a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%225%22%3Bi%3A1%3Bs%3A5%3A%22user4%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A1%3A%7Bs%3A4%3A%22role%22%3Bs%3A5%3A%22admin%22%3B%7D%7D
Which can be easily modified by user to fake his/her role.
And with session component TURNED OFF:
I get the same result. :unsure:
As i have figured out, the session component is just for session management,i.e. storing the session data in a file (PHP's default) or storing them in a database which is a safer practise. It doesn't deal with the setState() at all.
My questions(that aren't answered in the posts i have read) are:
1-How can i store some data(e.g. the user's role), where i can access it everywhere in the application?
2-Why on the earth when you store session data in a DB, should you create another cookie and store all the data in it in plain text?

And thank you very much for this amazing framework
(i have just signed up and i can create 2 posts in 12 hours - 1 left ;) )
0

#2 User is offline   softark 

  • Keep It Simple
  • Yii
  • Group: Moderators
  • Posts: 2,044
  • Joined: 16-February 11
  • Location:Japan

Posted 29 June 2013 - 08:56 AM

Hi Pouria, welcome to the forum.

As long as I understand from the source code of CWebUser and CBaseUserIdentity, there are 2 kinds of "state" for a web user.

1) the states loaded from the user identity when logged in
2) the states that are set by the web user

Both of them are stored in the session, but only the former will be stored in the cookie.

The trouble with the wiki you mentioned (http://www.yiiframew...28/simple-rbac/) is that it sets "roles" state in the user identity. But usually using Yii::app()->user->setState() is not bad at all.

Also please check this thread.
http://www.yiiframew...d-data-storage/
0

#3 User is offline   Pouria 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 3
  • Joined: 29-June 13
  • Location:Tehran, Iran

Posted 29 June 2013 - 03:17 PM

Quote

The login cookie is protected from being modified by end users. If it is modified, it will be treated as invalid. However, end users can still read contents in the cookie. That's why it is warned that you should not put sensitive data (e.g. password) in the cookie.

Thanks softark, i thought there is no cookie validation and users can modify the cookies. Turns out Yii takes care of that too B)
so i'm storing the role with setState() and everything goes fine
0

#4 User is offline   samilo 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 217
  • Joined: 04-October 12

Posted 01 July 2013 - 12:28 AM

I used setState() before in my project , but noted just i have cookie content PHPSESSID So where is the plain text of
Role .
Can you post your code ?
Yii :)
0

#5 User is offline   xcodex 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 1
  • Joined: 01-July 13

Posted 01 July 2013 - 01:20 AM

Hi softark

1- if state save in session why role safe in cookie ?

2- if hacker changed cookie for example role=admin , he will have the admin permission ?

it's very important for my to know what I will use in future

thanks in advance
0

#6 User is offline   softark 

  • Keep It Simple
  • Yii
  • Group: Moderators
  • Posts: 2,044
  • Joined: 16-February 11
  • Location:Japan

Posted 01 July 2013 - 01:42 AM

Hi xcodex,

View Postxcodex, on 01 July 2013 - 01:20 AM, said:

1- if state save in session why role safe in cookie ?

Sorry, I don't get what you mean exactly ... but, user identity state named "roles" is specific to the wiki mentioned. In the article it is set as a state of the user identity, so it will be stored in cookie.

Quote

2- if hacker changed cookie for example role=admin , he will have the admin permission ?

No. He also has to modify the hash string accordingly, or the cookie will be invalidated.
1

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users