Yii Framework Forum: Does Yii's session check clients ip address? - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Does Yii's session check clients ip address? Rate Topic: -----

#1 User is offline   afunix 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 4
  • Joined: 11-December 09

Posted 13 December 2009 - 08:30 AM

Hello.

Does CHttpSession check client's ip address?
0

#2 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 14 December 2009 - 04:40 AM

CHttpSession is a wrapper for PHP's built in session support which is based on a Session ID (Saved either in a cookie or propagated through URL). So: No, client IP is not involved into session management.
0

#3 User is offline   afunix 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 4
  • Joined: 11-December 09

Posted 14 December 2009 - 12:13 PM

So 'enableCookieValidation' => true does not enables validation by ip?
0

#4 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 15 December 2009 - 04:58 AM

AFAIK no. It only hashes the cookie data with a private secret and verifies on each request that the data can be decrypted again. It might also not be a good idea to check for the same IP address. Consider that they often can change as many clients use dynamic IP addresses. That could even happen between requests and you might not want to terminate a user's session in that case.
0

#5 User is offline   Y!! 

  • Advanced Member
  • Yii
  • Group: Yii Dev Team
  • Posts: 978
  • Joined: 18-June 09

Posted 04 January 2010 - 06:52 PM

I've created an extended version of CDbHttpSession which checks the clients ip range in order to avoid cookie stealing. You can define how many octets of the clients ip should be checked. So a session might remain valid if the user just gets a new ip from an internet provider. For example most of the time only my last two octets change if I reconnect to the internet.

I have attached the extended version, you have to put it into your components folder if you want to use it. Make sure you delete your current database table if you already use CDbHttpSession because the table schema is different. In your config:

'session' => array(
   'class' => 'ECDbHttpSession',
   'autoCreateSessionTable' => true,
   'connectionID' => 'db',
),


After the new session table got created, you should disable 'autoCreateSessionTable' for performance reasons.

By default, the first 2 octects will be compared. So if the original user has ip "85.123.1.1" and an attacker with stolen cookie has ip "85.43.1.1", the attacker would be unable to use the session. In this case the whole session would just get deleted. You can define how many octets to check:


'session' => array(
   ...
   'compareIpOctets' => 2,
   ...
),


4 means the full ip must match.

Attached File(s)


1

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users