Hi there,
I’m creating a website that doesn’t require advanced role systems(RBAC), but just a few user roles.
I found this post, which describes how to create a simple role system and store the user’s role in Yii::app()->user->role.
But the problem is everything which is set by setState(), is stored in plaintext in cookies if you check the ‘remember me’ checkbox on login page. The author hasn’t mention this in the article.
So i searched for a solution and found these two posts(How safe is setstate?, setState). They have suggested to enable the session component to store session data in database.
However this doesn’t change anything either.
With session component TURNED ON:
When i login whithout remember me, i get one PHPSESSID cookie.
When i login whith remember me, i get two cookies: a PHPSESSID and another cookie with my data in it in plaintext. here is the cookie:2ebcd97e79d5a45eedb2aa5f5a75b4df74cbb3e7a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%225%22%3Bi%3A1%3Bs%3A5%3A%22user4%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A1%3A%7Bs%3A4%3A%22[color="#FF0000"]role[/color]%22%3Bs%3A5%3A%22[color="#FF0000"]admin[/color]%22%3B%7D%7D
Which can be easily modified by user to fake his/her role.
And with session component TURNED OFF:
I get the same result.
As i have figured out, the session component is just for session management,i.e. storing the session data in a file (PHP’s default) or storing them in a database which is a safer practise. It doesn’t deal with the setState() at all.
My questions(that aren’t answered in the posts i have read) are:
1-How can i store some data(e.g. the user’s role), where i can access it everywhere in the application?
2-Why on the earth when you store session data in a DB, should you create another cookie and store all the data in it in plain text?
And thank you very much for this amazing framework
(i have just signed up and i can create 2 posts in 12 hours - 1 left )