Any Way To Store User Data Safely?
Posted 29 June 2013 - 02:30 AM
I'm creating a website that doesn't require advanced role systems(RBAC), but just a few user roles.
I found this post, which describes how to create a simple role system and store the user's role in Yii::app()->user->role.
But the problem is everything which is set by setState(), is stored in plaintext in cookies if you check the 'remember me' checkbox on login page. The author hasn't mention this in the article.
So i searched for a solution and found these two posts(How safe is setstate?, setState). They have suggested to enable the session component to store session data in database.
However this doesn't change anything either.
With session component TURNED ON:
When i login whithout remember me, i get one PHPSESSID cookie.
When i login whith remember me, i get two cookies: a PHPSESSID and another cookie with my data in it in plaintext. here is the cookie:2ebcd97e79d5a45eedb2aa5f5a75b4df74cbb3e7a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%225%22%3Bi%3A1%3Bs%3A5%3A%22user4%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A1%3A%7Bs%3A4%3A%22role%22%3Bs%3A5%3A%22admin%22%3B%7D%7D
Which can be easily modified by user to fake his/her role.
And with session component TURNED OFF:
I get the same result.
As i have figured out, the session component is just for session management,i.e. storing the session data in a file (PHP's default) or storing them in a database which is a safer practise. It doesn't deal with the setState() at all.
My questions(that aren't answered in the posts i have read) are:
1-How can i store some data(e.g. the user's role), where i can access it everywhere in the application?
2-Why on the earth when you store session data in a DB, should you create another cookie and store all the data in it in plain text?
And thank you very much for this amazing framework
(i have just signed up and i can create 2 posts in 12 hours - 1 left )
Posted 29 June 2013 - 08:56 AM
As long as I understand from the source code of CWebUser and CBaseUserIdentity, there are 2 kinds of "state" for a web user.
1) the states loaded from the user identity when logged in
2) the states that are set by the web user
Both of them are stored in the session, but only the former will be stored in the cookie.
The trouble with the wiki you mentioned (http://www.yiiframew...28/simple-rbac/) is that it sets "roles" state in the user identity. But usually using Yii::app()->user->setState() is not bad at all.
Also please check this thread.
Posted 29 June 2013 - 03:17 PM
Thanks softark, i thought there is no cookie validation and users can modify the cookies. Turns out Yii takes care of that too
so i'm storing the role with setState() and everything goes fine
Posted 01 July 2013 - 01:20 AM
1- if state save in session why role safe in cookie ?
2- if hacker changed cookie for example role=admin , he will have the admin permission ?
it's very important for my to know what I will use in future
thanks in advance
Posted 01 July 2013 - 01:42 AM
Sorry, I don't get what you mean exactly ... but, user identity state named "roles" is specific to the wiki mentioned. In the article it is set as a state of the user identity, so it will be stored in cookie.
No. He also has to modify the hash string accordingly, or the cookie will be invalidated.