Does Yii's session check clients ip address?

Hello.

Does CHttpSession check client’s ip address?

CHttpSession is a wrapper for PHP’s built in session support which is based on a Session ID (Saved either in a cookie or propagated through URL). So: No, client IP is not involved into session management.

So ‘enableCookieValidation’ => true does not enables validation by ip?

AFAIK no. It only hashes the cookie data with a private secret and verifies on each request that the data can be decrypted again. It might also not be a good idea to check for the same IP address. Consider that they often can change as many clients use dynamic IP addresses. That could even happen between requests and you might not want to terminate a user’s session in that case.

I’ve created an extended version of CDbHttpSession which checks the clients ip range in order to avoid cookie stealing. You can define how many octets of the clients ip should be checked. So a session might remain valid if the user just gets a new ip from an internet provider. For example most of the time only my last two octets change if I reconnect to the internet.

I have attached the extended version, you have to put it into your components folder if you want to use it. Make sure you delete your current database table if you already use CDbHttpSession because the table schema is different. In your config:


'session' => array(

   'class' => 'ECDbHttpSession',

   'autoCreateSessionTable' => true,

   'connectionID' => 'db',

),

After the new session table got created, you should disable ‘autoCreateSessionTable’ for performance reasons.

By default, the first 2 octects will be compared. So if the original user has ip "85.123.1.1" and an attacker with stolen cookie has ip "85.43.1.1", the attacker would be unable to use the session. In this case the whole session would just get deleted. You can define how many octets to check:


'session' => array(

   ...

   'compareIpOctets' => 2,

   ...

),

4 means the full ip must match.