Difference between #3 and #4 of
Make the authentication more securely

Revision #4 has been created by Kostas Apazidis (KonApaz) on Jun 17, 2014, 11:45:10 AM with the memo:

-
« previous (#3)

Changes

Title unchanged

Make the authentication more securely

Category unchanged

Tutorials

Yii version unchanged

Tags unchanged

security, Authentication, session

Content changed

Suppose a hacker has an account of your website He could set the PHPSESSID to empty After of that He login in your system The PHPSESSID remains blank and user has already logged with this session If you use CDbHttpSession go to YiiSession table of your database and you will see a record with empty id (This is not very secured or robust).
 
 sSession id must be a random string using session_regenerate_id
[...]
using CWebUser on login action calls the login method that calls changeIdentity method. tThe changeIdentity calls the Yii::app()->getSession()->regenerateID(true) In the case that you use CDbHttpSession the regenerateID method contains the follow code
[...]
```

That check if session is started b
 
But in our case, session_id returns empty string because user-hacker set the PHPSESSID to empty (although the session startedhas been started normaly)! So, How to fix that ? iIn your protected/components addcreate the ExCWebUser.php (or modify your own) with the below code


```php
class ExCWebUser extends CWebUser {
[...]
2 0
3 followers
Viewed: 15 485 times
Version: 1.1
Category: Tutorials
Tags: authentication, security, session
Written by: Kostas Apazidis (KonApaz)
Last updated by: Kostas Apazidis (KonApaz)
Created on: Jun 17, 2014
Last updated: 9 years ago
Update Article
Revert to #3 | Revert to #4

Revisions

View all history