Session security issue. Core bug?

Hi everyone,

I’m a PHP dev who rarely works in Yii (though I like it) but I’ve been asked to look into a security issue with a Yii 1.1.15 site that was built by another agency.

Essentially, there’s an admin component. When you login successfully, three cookies are created. I understand these to be CSRF, PHP session ID and Yii identity cookie. That’s my understanding at least.

If you copy those cookie keys and values and logout. You can do a remote cURL post request that is accepted by Yii. You can’t however, navigate to that area in a browser.

So some portion of the logout is working correctly but not all. The logout method looks like this, which after researching, I believe is correct.




public function actionLogout() {

	Yii::app()->user->logout();

        $session = Yii::app()->session;

        $session->close();

        $session->destroy();

	$this->redirect( array( '/' ) );

	}



The accessRules look like this




public function accessRules() {

		return array(

			array(

				'allow',

				'actions' => array( 'login', 'logout', 'action', 'reset', 'forgot' ),

				'users'   => array( '*' )

			),

			array(

				'allow',

				'actions'    => array( 'index', 'register' ),

				'expression' => '$user->getIsAdmin()',

			),

			array(

				'allow',

				'actions' => array( 'profile', 'password' ),

				'users'   => array( '@' )

			),

                        array(

				'deny',

				'users' => array( '*' )

			)

		);

	}



Which appears correct as well. Is this a core Yii bug perhaps? If so, is it a known bug?

Thanks for your assistance!

Best,

Wilson

I think one of the cookies is “remember me”. If that’s the case, it’s expected.