O Guia Definitivo do Yii 1.1
O Guia Definitivo do Yii 1.1
O Guia Definitivo do Yii 1.1
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
eturn array(<br />
'components'=>array(<br />
'request'=>array(<br />
'enableCsrfValidation'=>true,<br />
),<br />
),<br />
);<br />
And to display a form, call CHtml::form instead of writing the HTML form tag directly. The<br />
CHtml::form method will embed the necessary ran<strong>do</strong>m value in a hidden field so that it can<br />
be submitted for CSRF validation.<br />
Cookie Attack Prevention<br />
Protecting cookies from being attacked is of extreme importance, as session IDs are<br />
commonly stored in cookies. If one gets hold of a session ID, he essentially owns all<br />
relevant session information.<br />
There are several countermeasures to prevent cookies from being attacked.<br />
• An application can use SSL to create a secure communication channel and only pass<br />
the authentication cookie over an HTTPS connection. Attackers are thus unable to<br />
decipher the contents in the transferred cookies.<br />
• Expire sessions appropriately, including all cookies and session tokens, to reduce the<br />
likelihood of being attacked.<br />
• Prevent cross-site scripting which causes arbitrary code to run in a user's browser<br />
and expose his cookies.<br />
• Validate cookie data and detect if they are altered.<br />
<strong>Yii</strong> implements a cookie validation scheme that prevents cookies from being modified. In<br />
particular, it <strong>do</strong>es HMAC check for the cookie values if cookie validation is enabled.<br />
Cookie validation is disabled by default. To enable it, configure the CHttpRequest<br />
application component in the application configuration as follows,<br />
return array(<br />
'components'=>array(<br />
'request'=>array(<br />
'enableCookieValidation'=>true,<br />
),<br />
),<br />
);<br />
To make use of the cookie validation scheme provided by <strong>Yii</strong>, we also need to access<br />
cookies through the cookies collection, instead of directly through $_COOKIES: