yii2-bootstrap/docs/guide/security.md

Security
========

Good security is vital to the health and success of many websites. Unfortunately, many developers may cut corners when it comes to security due to a lack of understanding or too large of an implementation hurdle. To make your Yii-based site as secure as possible, the Yii framework has baked in several excellent, and easy to use, security features.

Hashing and verifying passwords
-------------------------------

Most developers know that you cannot store passwords in plain text, but many believe it's safe to hash passwords using `md5` or `sha1`. There was a time when those hashing algorithms were sufficient, but modern hardware makes it possible to break those hashes very quickly using a brute force attack.

In order to truly secure user passwords, even in the worst case scenario (your database is broken into), you need to use a hashing algorithm that is resistant to brute force attacks. The best current choice is `bcrypt`. In PHP, you can create a `bcrypt` hash by using the [crypt function](http://php.net/manual/en/function.crypt.php). However, this function is not easy to use properly, so Yii provides two helper functions to make securely generating and verifying hashes easier.

When a user provides a password for the first time (e.g., upon registration), the password needs to be hashed:

```php
$hash = \yii\helpers\Security::generatePasswordHash($password);
```

The hash would then be associated with the model, so that it will be stored in the database for later use.

When user attempts to log in, the submitted log in password must be verified against the previously hashed and stored password:

```php
use \yii\helpers;
if (Security::validatePassword($password, $hash)) {
	// all good, logging user in
} else {
	// wrong password
}
```


Creating random data
-----------

Random data is useful in many cases. For example, when resetting a password via email you need to generate a token,
save it to database and send it via email to end user so he's able to prove that email belongs to him. It is very
important for this token to be truly unique else there will be a possibility to predict a value and reset another user's
password.

Yii security helper makes it as simple as:

```php
$key = \yii\helpers\Security::generateRandomKey();
```

Encryption and decryption
-------------------------

In order to encrypt data so only person knowing a secret passphrase or having a secret key will be able to decrypt it.
For example, we need to store some information in our database but we need to make sure only user knowing a secret code
can view it (even if database is leaked):


```php
// $data and $secretWord are from the form
$encryptedData = \yii\helpers\Security::encrypt($data, $secretWord);
// store $encryptedData to database
```

Then when user want to read it:

```php
// $secretWord is from the form, $encryptedData is from database
$data = \yii\helpers\Security::decrypt($encryptedData, $secretWord);
```

Confirming data integrity
--------------------------------

Making sure data wasn't modified

hashData()
validateData()


Securing Cookies
----------------

- validation
- httpOnly

See also
--------

- [Views security](view.md#security)
draft of security section 11 years ago			`Security`
			`========`

Only whitespace removal 11 years ago			`Good security is vital to the health and success of many websites. Unfortunately, many developers may cut corners when it comes to security due to a lack of understanding or too large of an implementation hurdle. To make your Yii-based site as secure as possible, the Yii framework has baked in several excellent, and easy to use, security features.`
Worked on several Guide docs 11 years ago
Last typo fixes in guide - I swear - [skip ci] 11 years ago			`Hashing and verifying passwords`
restructuring guide index.md and structure worked though all the guide files adjusted structure and added some missing does 11 years ago			`-------------------------------`
draft of security section 11 years ago
Doing more editing... 11 years ago			Most developers know that you cannot store passwords in plain text, but many believe it's safe to hash passwords using `md5` or `sha1`. There was a time when those hashing algorithms were sufficient, but modern hardware makes it possible to break those hashes very quickly using a brute force attack.
draft of security section 11 years ago
Edited password section 11 years ago			In order to truly secure user passwords, even in the worst case scenario (your database is broken into), you need to use a hashing algorithm that is resistant to brute force attacks. The best current choice is `bcrypt`. In PHP, you can create a `bcrypt` hash by using the [crypt function](http://php.net/manual/en/function.crypt.php). However, this function is not easy to use properly, so Yii provides two helper functions to make securely generating and verifying hashes easier.
draft of security section 11 years ago
Edited password section 11 years ago			`When a user provides a password for the first time (e.g., upon registration), the password needs to be hashed:`
draft of security section 11 years ago
			```php
			`$hash = \yii\helpers\Security::generatePasswordHash($password);`
			```

Edited password section 11 years ago			`The hash would then be associated with the model, so that it will be stored in the database for later use.`
draft of security section 11 years ago
Edited password section 11 years ago			`When user attempts to log in, the submitted log in password must be verified against the previously hashed and stored password:`
draft of security section 11 years ago
			```php
Edited password section 11 years ago			`use \yii\helpers;`
			`if (Security::validatePassword($password, $hash)) {`
draft of security section 11 years ago			`// all good, logging user in`
Edited password section 11 years ago			`} else {`
draft of security section 11 years ago			`// wrong password`
			`}`
			```


Worked on several Guide docs 11 years ago			`Creating random data`
draft of security section 11 years ago			`-----------`

			`Random data is useful in many cases. For example, when resetting a password via email you need to generate a token,`
			`save it to database and send it via email to end user so he's able to prove that email belongs to him. It is very`
			`important for this token to be truly unique else there will be a possibility to predict a value and reset another user's`
			`password.`

			`Yii security helper makes it as simple as:`

			```php
			`$key = \yii\helpers\Security::generateRandomKey();`
			```

			`Encryption and decryption`
			`-------------------------`

			`In order to encrypt data so only person knowing a secret passphrase or having a secret key will be able to decrypt it.`
			`For example, we need to store some information in our database but we need to make sure only user knowing a secret code`
			`can view it (even if database is leaked):`


			```php
			`// $data and $secretWord are from the form`
			`$encryptedData = \yii\helpers\Security::encrypt($data, $secretWord);`
			`// store $encryptedData to database`
			```

			`Then when user want to read it:`

			```php
			`// $secretWord is from the form, $encryptedData is from database`
			`$data = \yii\helpers\Security::decrypt($encryptedData, $secretWord);`
			```

Worked on several Guide docs 11 years ago			`Confirming data integrity`
draft of security section 11 years ago			`--------------------------------`

Worked on several Guide docs 11 years ago			`Making sure data wasn't modified`

draft of security section 11 years ago			`hashData()`
			`validateData()`


			`Securing Cookies`
			`----------------`

			`- validation`
more docs on views, cross-references, intros for error handling and debugger 11 years ago			`- httpOnly`

			`See also`
			`--------`

			`- [Views security](view.md#security)`