Changes
Title
unchanged
Make the authentication more securely
Category
unchanged
Tutorials
Yii version
unchanged
Tags
unchanged
security, Authentication, session
Content
changed
Suppose a hacker has an account of your website
He could set the PHPSESSID to empty
After of that He login in your system
The PHPSESSID remains blank and user has already logged with this session
If you use CDbHttpSession go to YiiSession table of your database and you will see a record with empty id (This is not very secured or robust)
.
sSession id must be a random string using session_regenerate_id[...]
using CWebUser on login action calls the login method that calls changeIdentity method.
tThe changeIdentity calls the Yii::app()->getSession()->regenerateID(true)
In the case that you use CDbHttpSession the regenerateID
method contains the follow code[...]
```
That check if session is started b.
But in our case
, session_id returns empty string because user-hacker set the PHPSESSID to empty (although the session
startedhas been started normaly)!
So, How to fix that ?
iIn your protected/components
addcreate the ExCWebUser.php
(or modify your own) with the below code
```php
class ExCWebUser extends CWebUser {[...]