Make the authentication more securely

You are viewing revision #3 of this wiki article.
This version may not be up to date with the latest version.
You may want to view the differences to the latest version.

next (#4) »

Suppose a hacker has an account of your website He could set the PHPSESSID to empty After of that He login in your system The PHPSESSID remains blank and user has already logged with this session

If you use CDbHttpSession go to YiiSession table of your database and you will see a record with empty id (This is not very secured or robust) session id must be a random string using session_regenerate_id

So what is the problem and how can we fix it ?

using CWebUser on login action calls the login method that calls changeIdentity method the changeIdentity calls the Yii::app()->getSession()->regenerateID(true)

In the case that you use CDbHttpSession the regenerateID contains the follow code

public function regenerateID($deleteOldSession=false)
	{
		$oldID=session_id();
		// if no session is started, there is nothing to regenerate
		if(empty($oldID))
			return;
        ....
        

That check if session is started but in our case session_id returns empty string because user-hacker set the PHPSESSID to empty (although the session started)!

How to fix that ?

in your protected/components add the ExCWebUser.php with the below code

class ExCWebUser extends CWebUser {  

    protected function changeIdentity($id,$name,$states)
	{
        //force to regenerate the session id either exists or not or is empty!
		session_regenerate_id(true); 
		parent::changeIdentity($id,$name,$states);
	}
}

In your protected/config/main.php modify the 'user' (may session too) settings like that

'session' => array(
            'class' => 'CDbHttpSession',
            'connectionID' => 'db',
            'timeout' => 86400, //24 hours
        ),

 'user' => array(
            'class'=>'ExCWebUser', //use our WebUser class
            // enable cookie-based authentication
            'allowAutoLogin' => true,
        ),

Now if PHPSESSID is empty (or anything valid old session id) the new authentication will be created with new valid and secured session id.