How safe is setState?

I need to store some user informations, which I use in querying the db.

But I can see that the informations stored like


$this->setState('Email', $user->Email);

are sent over the network with cookies.

If the user changes the cookie, will the "Yii::app()->user->Email" be altered on the server?

If yes, how can I make this more secure/safe? (The user must have the posibility to autologin)

Thanks

If you enable session component, states will be stored server-side.

HMAC calculation will be included in the cookie, once it is modified, the server refuses to use that cookie (the user will be logged out).

Does this answer your question?

I have found that there was a post about this subject here (although a have searched and researched the forum :) ): link

I have extended CWebUser and I’m using Yii::app()->session[’…’] to store the values. All work fine as far as I can see.

What do you mean by “enable session component”? Isn’t enabled by default?

Thanks for the quick answer!

No, it’s not. You can enable it by configuring session component in your configuration array. Set ‘class’=>‘CDbHttpSession’ to let Yii control everything.

Once it is turned on, you can use setState without sending data out in cookies.

So using CDbHttpSession and "remember me" Yii will not send state data in cookies?

I understand the OP’s concern. I wondered what the rationale is behind disabling server side session storage. Other than the data mining crowd, I haven’t seen anyone use cookies, except sessions cookies, for… well, I can’t remember the last time. If it’s just ffor “auto login”, it’s a high price to pay, imo.

Regardless, ding0, don’t revert to globals, that’s worse.

If you are using a database (id db in this case), then add the following to main.php and sessions will be stored in a table called YiiSession. It’s so easy, and there’s no work involved.




'session' => array(

    'class'=>'CDbHttpSession',

    'connectionID'=>'db',

),



Alternatively, use CHttpSession – which I believe should be the default; I don’t care about “auto login”, my browser will do that for me.

The “remember me” cookie should be separate from the session data (which in my opinion shouldn’t be in a cookie in any case).

If I don’t explicitly want it to use session, then it shouldn’t. Still, there must be a way when I can store user related information. If I don’t provide storage, it should use whichever has the most accessibility.

Generally, it is a wrong idea not to take advantage of sessions.

If you specify ‘connectionID’, your session data will appear in your primary database. I don’t want to see in my backups, so I just leave that out and let Yii use runtime folder to create sqlite db.

It actually won’t. If there is a checkbox saying ‘remember me’, I always tick that. Saves me one click on every website I regularly use. Saves me thousands of clicks in each month.

It’s a design choice. Sessions are safer, so the better design choice.

Nope, it should be the one that best fits the requirements.

I agree. That’s what I said.

That’s a design choice. But equally, if you don’t want it in your backups, then don’t back it up!

Well, actually, it will.

Me too. Never said I didn’t.

You’re looking at things through your usage. People behave differently. Give people choices, don’t make it all or nothing.

But this is a choice all developers should make. It is not the framework’s job.

Yes, and a disabled session won’t fit the requirements.

It is convenient for me not to deselect one table each time I do a backup. Just hit save and I’m done. ;)

You said you don’t care about ‘auto login’. I interpreted this as you don’t configure that option.

People hate to decide and especially hate to think. I keep the numbers of choices as low as possible.

Of course not. Who said otherwise?

No shit! If that’s what is required.

Compromising design decisions for such reasons is lame.

Maybe I do, maybe I don’t. It depends on the requirements. What I do is ensure that this particular functionality is provided by its own cookie.

Your premise is nonsense. I would qualify the second part by adding the word "essential".