Class yii\base\Security

Inheritanceyii\base\Security » yii\base\Component » yii\base\BaseObject
Implementsyii\base\Configurable
Available since version2.0
Source Code https://github.com/yiisoft/yii2/blob/master/framework/base/Security.php

Security provides a set of methods to handle common security-related tasks.

In particular, Security supports the following features:

Note: this class requires 'OpenSSL' PHP extension for random key/string generation on Windows and for encryption/decryption on all platforms. For the highest security level PHP version >= 5.5.0 is recommended.

For more details and usage information on Security, see the guide article on security.

Public Properties

Hide inherited properties

Property Type Description Defined By
$allowedCiphers array[] Look-up table of block sizes and key sizes for each supported OpenSSL cipher. yii\base\Security
$authKeyInfo string HKDF info value for derivation of message authentication key. yii\base\Security
$behaviors yii\base\Behavior[] List of behaviors attached to this component. yii\base\Component
$cipher string The cipher to use for encryption and decryption. yii\base\Security
$derivationIterations integer Derivation iterations count. yii\base\Security
$kdfHash string Hash algorithm for key derivation. yii\base\Security
$macHash string Hash algorithm for message authentication. yii\base\Security
$passwordHashCost integer Default cost used for password hashing. yii\base\Security
$passwordHashStrategy string Strategy, which should be used to generate password hash. yii\base\Security

Public Methods

Hide inherited methods

Method Description Defined By
__call() Calls the named method which is not a class method. yii\base\Component
__clone() This method is called after the object is created by cloning an existing one. yii\base\Component
__construct() Constructor. yii\base\BaseObject
__get() Returns the value of a component property. yii\base\Component
__isset() Checks if a property is set, i.e. defined and not null. yii\base\Component
__set() Sets the value of a component property. yii\base\Component
__unset() Sets a component property to be null. yii\base\Component
attachBehavior() Attaches a behavior to this component. yii\base\Component
attachBehaviors() Attaches a list of behaviors to the component. yii\base\Component
behaviors() Returns a list of behaviors that this component should behave as. yii\base\Component
canGetProperty() Returns a value indicating whether a property can be read. yii\base\Component
canSetProperty() Returns a value indicating whether a property can be set. yii\base\Component
className() Returns the fully qualified name of this class. yii\base\BaseObject
compareString() Performs string comparison using timing attack resistant approach. yii\base\Security
decryptByKey() Verifies and decrypts data encrypted with encryptByKey(). yii\base\Security
decryptByPassword() Verifies and decrypts data encrypted with encryptByPassword(). yii\base\Security
detachBehavior() Detaches a behavior from the component. yii\base\Component
detachBehaviors() Detaches all behaviors from the component. yii\base\Component
encryptByKey() Encrypts data using a cryptographic key. yii\base\Security
encryptByPassword() Encrypts data using a password. yii\base\Security
ensureBehaviors() Makes sure that the behaviors declared in behaviors() are attached to this component. yii\base\Component
generatePasswordHash() Generates a secure hash from a password and a random salt. yii\base\Security
generateRandomKey() Generates specified number of random bytes. yii\base\Security
generateRandomString() Generates a random string of specified length. yii\base\Security
getBehavior() Returns the named behavior object. yii\base\Component
getBehaviors() Returns all behaviors attached to this component. yii\base\Component
hasEventHandlers() Returns a value indicating whether there is any handler attached to the named event. yii\base\Component
hasMethod() Returns a value indicating whether a method is defined. yii\base\Component
hasProperty() Returns a value indicating whether a property is defined for this component. yii\base\Component
hashData() Prefixes data with a keyed hash value so that it can later be detected if it is tampered. yii\base\Security
hkdf() Derives a key from the given input key using the standard HKDF algorithm. yii\base\Security
init() Initializes the object. yii\base\BaseObject
maskToken() Masks a token to make it uncompressible. yii\base\Security
off() Detaches an existing event handler from this component. yii\base\Component
on() Attaches an event handler to an event. yii\base\Component
pbkdf2() Derives a key from the given password using the standard PBKDF2 algorithm. yii\base\Security
trigger() Triggers an event. yii\base\Component
unmaskToken() Unmasks a token previously masked by maskToken. yii\base\Security
validateData() Validates if the given data is tampered. yii\base\Security
validatePassword() Verifies a password against a hash. yii\base\Security

Protected Methods

Hide inherited methods

Method Description Defined By
decrypt() Decrypts data. yii\base\Security
encrypt() Encrypts data. yii\base\Security
generateSalt() Generates a salt that can be used to generate a password hash. yii\base\Security
shouldUseLibreSSL() yii\base\Security

Property Details

Hide inherited properties

$allowedCiphers public property

Look-up table of block sizes and key sizes for each supported OpenSSL cipher.

In each element, the key is one of the ciphers supported by OpenSSL (@see openssl_get_cipher_methods()). The value is an array of two integers, the first is the cipher's block size in bytes and the second is the key size in bytes.

Warning: All OpenSSL ciphers that we recommend are in the default value, i.e. AES in CBC mode.

Note: Yii's encryption protocol uses the same size for cipher key, HMAC signature key and key derivation salt.

public array[] $allowedCiphers = [
    
'AES-128-CBC' => [
        
16,
        
16,
    ],
    
'AES-192-CBC' => [
        
16,
        
24,
    ],
    
'AES-256-CBC' => [
        
16,
        
32,
    ],
]
$authKeyInfo public property

HKDF info value for derivation of message authentication key.

See also hkdf().

public string $authKeyInfo 'AuthorizationKey'
$cipher public property

The cipher to use for encryption and decryption.

public string $cipher 'AES-128-CBC'
$derivationIterations public property

Derivation iterations count. Set as high as possible to hinder dictionary password attacks.

$kdfHash public property

Hash algorithm for key derivation. Recommend sha256, sha384 or sha512.

See also hash_algos().

public string $kdfHash 'sha256'
$macHash public property

Hash algorithm for message authentication. Recommend sha256, sha384 or sha512.

See also hash_algos().

public string $macHash 'sha256'
$passwordHashCost public property (available since version 2.0.6)

Default cost used for password hashing. Allowed value is between 4 and 31.

See also generatePasswordHash().

$passwordHashStrategy public property
Deprecated since version 2.0.7, generatePasswordHash() ignores $passwordHashStrategy and uses password_hash() when available or crypt() when not.

Strategy, which should be used to generate password hash. Available strategies:

  • 'password_hash' - use of PHP password_hash() function with PASSWORD_DEFAULT algorithm. This option is recommended, but it requires PHP version >= 5.5.0
  • 'crypt' - use PHP crypt() function.

Method Details

Hide inherited methods

__call() public method

Defined in: yii\base\Component::__call()

Calls the named method which is not a class method.

This method will check if any attached behavior has the named method and will execute it if available.

Do not call this method directly as it is a PHP magic method that will be implicitly called when an unknown method is being invoked.

public mixed __call ( $name, $params )
$name string

The method name

$params array

Method parameters

return mixed

The method return value

throws yii\base\UnknownMethodException

when calling unknown method

                public function __call($name, $params)
{
    $this->ensureBehaviors();
    foreach ($this->_behaviors as $object) {
        if ($object->hasMethod($name)) {
            return call_user_func_array([$object, $name], $params);
        }
    }
    throw new UnknownMethodException('Calling unknown method: ' . get_class($this) . "::$name()");
}

            
__clone() public method

Defined in: yii\base\Component::__clone()

This method is called after the object is created by cloning an existing one.

It removes all behaviors because they are attached to the old object.

public void __clone ( )

                public function __clone()
{
    $this->_events = [];
    $this->_eventWildcards = [];
    $this->_behaviors = null;
}

            
__construct() public method

Defined in: yii\base\BaseObject::__construct()

Constructor.

The default implementation does two things:

  • Initializes the object with the given configuration $config.
  • Call init().

If this method is overridden in a child class, it is recommended that

  • the last parameter of the constructor is a configuration array, like $config here.
  • call the parent implementation at the end of the constructor.
public void __construct ( $config = [] )
$config array

Name-value pairs that will be used to initialize the object properties

                public function __construct($config = [])
{
    if (!empty($config)) {
        Yii::configure($this, $config);
    }
    $this->init();
}

            
__get() public method

Defined in: yii\base\Component::__get()

Returns the value of a component property.

This method will check in the following order and act accordingly:

  • a property defined by a getter: return the getter result
  • a property of a behavior: return the behavior property value

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing $value = $component->property;.

See also __set().

public mixed __get ( $name )
$name string

The property name

return mixed

The property value or the value of a behavior's property

throws yii\base\UnknownPropertyException

if the property is not defined

throws yii\base\InvalidCallException

if the property is write-only.

                public function __get($name)
{
    $getter = 'get' . $name;
    if (method_exists($this, $getter)) {
        // read property, e.g. getName()
        return $this->$getter();
    }
    // behavior property
    $this->ensureBehaviors();
    foreach ($this->_behaviors as $behavior) {
        if ($behavior->canGetProperty($name)) {
            return $behavior->$name;
        }
    }
    if (method_exists($this, 'set' . $name)) {
        throw new InvalidCallException('Getting write-only property: ' . get_class($this) . '::' . $name);
    }
    throw new UnknownPropertyException('Getting unknown property: ' . get_class($this) . '::' . $name);
}

            
__isset() public method

Defined in: yii\base\Component::__isset()

Checks if a property is set, i.e. defined and not null.

This method will check in the following order and act accordingly:

  • a property defined by a setter: return whether the property is set
  • a property of a behavior: return whether the property is set
  • return false for non existing properties

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing isset($component->property).

See also https://www.php.net/manual/en/function.isset.php.

public boolean __isset ( $name )
$name string

The property name or the event name

return boolean

Whether the named property is set

                public function __isset($name)
{
    $getter = 'get' . $name;
    if (method_exists($this, $getter)) {
        return $this->$getter() !== null;
    }
    // behavior property
    $this->ensureBehaviors();
    foreach ($this->_behaviors as $behavior) {
        if ($behavior->canGetProperty($name)) {
            return $behavior->$name !== null;
        }
    }
    return false;
}

            
__set() public method

Defined in: yii\base\Component::__set()

Sets the value of a component property.

This method will check in the following order and act accordingly:

  • a property defined by a setter: set the property value
  • an event in the format of "on xyz": attach the handler to the event "xyz"
  • a behavior in the format of "as xyz": attach the behavior named as "xyz"
  • a property of a behavior: set the behavior property value

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing $component->property = $value;.

See also __get().

public void __set ( $name, $value )
$name string

The property name or the event name

$value mixed

The property value

throws yii\base\UnknownPropertyException

if the property is not defined

throws yii\base\InvalidCallException

if the property is read-only.

                public function __set($name, $value)
{
    $setter = 'set' . $name;
    if (method_exists($this, $setter)) {
        // set property
        $this->$setter($value);
        return;
    } elseif (strncmp($name, 'on ', 3) === 0) {
        // on event: attach event handler
        $this->on(trim(substr($name, 3)), $value);
        return;
    } elseif (strncmp($name, 'as ', 3) === 0) {
        // as behavior: attach behavior
        $name = trim(substr($name, 3));
        $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value));
        return;
    }
    // behavior property
    $this->ensureBehaviors();
    foreach ($this->_behaviors as $behavior) {
        if ($behavior->canSetProperty($name)) {
            $behavior->$name = $value;
            return;
        }
    }
    if (method_exists($this, 'get' . $name)) {
        throw new InvalidCallException('Setting read-only property: ' . get_class($this) . '::' . $name);
    }
    throw new UnknownPropertyException('Setting unknown property: ' . get_class($this) . '::' . $name);
}

            
__unset() public method

Defined in: yii\base\Component::__unset()

Sets a component property to be null.

This method will check in the following order and act accordingly:

  • a property defined by a setter: set the property value to be null
  • a property of a behavior: set the property value to be null

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing unset($component->property).

See also https://www.php.net/manual/en/function.unset.php.

public void __unset ( $name )
$name string

The property name

throws yii\base\InvalidCallException

if the property is read only.

                public function __unset($name)
{
    $setter = 'set' . $name;
    if (method_exists($this, $setter)) {
        $this->$setter(null);
        return;
    }
    // behavior property
    $this->ensureBehaviors();
    foreach ($this->_behaviors as $behavior) {
        if ($behavior->canSetProperty($name)) {
            $behavior->$name = null;
            return;
        }
    }
    throw new InvalidCallException('Unsetting an unknown or read-only property: ' . get_class($this) . '::' . $name);
}

            
attachBehavior() public method

Defined in: yii\base\Component::attachBehavior()

Attaches a behavior to this component.

This method will create the behavior object based on the given configuration. After that, the behavior object will be attached to this component by calling the yii\base\Behavior::attach() method.

See also detachBehavior().

public yii\base\Behavior attachBehavior ( $name, $behavior )
$name string

The name of the behavior.

$behavior string|array|yii\base\Behavior

The behavior configuration. This can be one of the following:

return yii\base\Behavior

The behavior object

                public function attachBehavior($name, $behavior)
{
    $this->ensureBehaviors();
    return $this->attachBehaviorInternal($name, $behavior);
}

            
attachBehaviors() public method

Defined in: yii\base\Component::attachBehaviors()

Attaches a list of behaviors to the component.

Each behavior is indexed by its name and should be a yii\base\Behavior object, a string specifying the behavior class, or an configuration array for creating the behavior.

See also attachBehavior().

public void attachBehaviors ( $behaviors )
$behaviors array

List of behaviors to be attached to the component

                public function attachBehaviors($behaviors)
{
    $this->ensureBehaviors();
    foreach ($behaviors as $name => $behavior) {
        $this->attachBehaviorInternal($name, $behavior);
    }
}

            
behaviors() public method

Defined in: yii\base\Component::behaviors()

Returns a list of behaviors that this component should behave as.

Child classes may override this method to specify the behaviors they want to behave as.

The return value of this method should be an array of behavior objects or configurations indexed by behavior names. A behavior configuration can be either a string specifying the behavior class or an array of the following structure:

'behaviorName' => [
    'class' => 'BehaviorClass',
    'property1' => 'value1',
    'property2' => 'value2',
]

Note that a behavior class must extend from yii\base\Behavior. Behaviors can be attached using a name or anonymously. When a name is used as the array key, using this name, the behavior can later be retrieved using getBehavior() or be detached using detachBehavior(). Anonymous behaviors can not be retrieved or detached.

Behaviors declared in this method will be attached to the component automatically (on demand).

public array behaviors ( )
return array

The behavior configurations.

                public function behaviors()
{
    return [];
}

            
canGetProperty() public method

Defined in: yii\base\Component::canGetProperty()

Returns a value indicating whether a property can be read.

A property can be read if:

  • the class has a getter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);
  • an attached behavior has a readable property of the given name (when $checkBehaviors is true).

See also canSetProperty().

public boolean canGetProperty ( $name, $checkVars true, $checkBehaviors true )
$name string

The property name

$checkVars boolean

Whether to treat member variables as properties

$checkBehaviors boolean

Whether to treat behaviors' properties as properties of this component

return boolean

Whether the property can be read

                public function canGetProperty($name, $checkVars = true, $checkBehaviors = true)
{
    if (method_exists($this, 'get' . $name) || $checkVars && property_exists($this, $name)) {
        return true;
    } elseif ($checkBehaviors) {
        $this->ensureBehaviors();
        foreach ($this->_behaviors as $behavior) {
            if ($behavior->canGetProperty($name, $checkVars)) {
                return true;
            }
        }
    }
    return false;
}

            
canSetProperty() public method

Defined in: yii\base\Component::canSetProperty()

Returns a value indicating whether a property can be set.

A property can be written if:

  • the class has a setter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);
  • an attached behavior has a writable property of the given name (when $checkBehaviors is true).

See also canGetProperty().

public boolean canSetProperty ( $name, $checkVars true, $checkBehaviors true )
$name string

The property name

$checkVars boolean

Whether to treat member variables as properties

$checkBehaviors boolean

Whether to treat behaviors' properties as properties of this component

return boolean

Whether the property can be written

                public function canSetProperty($name, $checkVars = true, $checkBehaviors = true)
{
    if (method_exists($this, 'set' . $name) || $checkVars && property_exists($this, $name)) {
        return true;
    } elseif ($checkBehaviors) {
        $this->ensureBehaviors();
        foreach ($this->_behaviors as $behavior) {
            if ($behavior->canSetProperty($name, $checkVars)) {
                return true;
            }
        }
    }
    return false;
}

            
className() public static method
Deprecated since 2.0.14. On PHP >=5.5, use ::class instead.

Defined in: yii\base\BaseObject::className()

Returns the fully qualified name of this class.

public static string className ( )
return string

The fully qualified name of this class.

                public static function className()
{
    return get_called_class();
}

            
compareString() public method

Performs string comparison using timing attack resistant approach.

See also https://codereview.stackexchange.com/q/13512.

public boolean compareString ( $expected, $actual )
$expected string

String to compare.

$actual string

User-supplied string.

return boolean

Whether strings are equal.

                public function compareString($expected, $actual)
{
    if (!is_string($expected)) {
        throw new InvalidArgumentException('Expected expected value to be a string, ' . gettype($expected) . ' given.');
    }
    if (!is_string($actual)) {
        throw new InvalidArgumentException('Expected actual value to be a string, ' . gettype($actual) . ' given.');
    }
    if (function_exists('hash_equals')) {
        return hash_equals($expected, $actual);
    }
    $expected .= "\0";
    $actual .= "\0";
    $expectedLength = StringHelper::byteLength($expected);
    $actualLength = StringHelper::byteLength($actual);
    $diff = $expectedLength - $actualLength;
    for ($i = 0; $i < $actualLength; $i++) {
        $diff |= (ord($actual[$i]) ^ ord($expected[$i % $expectedLength]));
    }
    return $diff === 0;
}

            
decrypt() protected method

Decrypts data.

See also encrypt().

protected boolean|string decrypt ( $data, $passwordBased, $secret, $info )
$data string

Encrypted data to be decrypted.

$passwordBased boolean

Set true to use password-based key derivation

$secret string

The decryption password or key

$info string|null

Context/application specific information, @see encrypt()

return boolean|string

The decrypted data or false on authentication failure

throws yii\base\InvalidConfigException

on OpenSSL not loaded

throws yii\base\Exception

on OpenSSL error

                protected function decrypt($data, $passwordBased, $secret, $info)
{
    if (!extension_loaded('openssl')) {
        throw new InvalidConfigException('Encryption requires the OpenSSL PHP extension');
    }
    if (!isset($this->allowedCiphers[$this->cipher][0], $this->allowedCiphers[$this->cipher][1])) {
        throw new InvalidConfigException($this->cipher . ' is not an allowed cipher');
    }
    list($blockSize, $keySize) = $this->allowedCiphers[$this->cipher];
    $keySalt = StringHelper::byteSubstr($data, 0, $keySize);
    if ($passwordBased) {
        $key = $this->pbkdf2($this->kdfHash, $secret, $keySalt, $this->derivationIterations, $keySize);
    } else {
        $key = $this->hkdf($this->kdfHash, $secret, $keySalt, $info, $keySize);
    }
    $authKey = $this->hkdf($this->kdfHash, $key, null, $this->authKeyInfo, $keySize);
    $data = $this->validateData(StringHelper::byteSubstr($data, $keySize, null), $authKey);
    if ($data === false) {
        return false;
    }
    $iv = StringHelper::byteSubstr($data, 0, $blockSize);
    $encrypted = StringHelper::byteSubstr($data, $blockSize, null);
    $decrypted = openssl_decrypt($encrypted, $this->cipher, $key, OPENSSL_RAW_DATA, $iv);
    if ($decrypted === false) {
        throw new \yii\base\Exception('OpenSSL failure on decryption: ' . openssl_error_string());
    }
    return $decrypted;
}

            
decryptByKey() public method

Verifies and decrypts data encrypted with encryptByKey().

See also encryptByKey().

public boolean|string decryptByKey ( $data, $inputKey, $info null )
$data string

The encrypted data to decrypt

$inputKey string

The input to use for encryption and authentication

$info string|null

Optional context and application specific information, see hkdf()

return boolean|string

The decrypted data or false on authentication failure

                public function decryptByKey($data, $inputKey, $info = null)
{
    return $this->decrypt($data, false, $inputKey, $info);
}

            
decryptByPassword() public method

Verifies and decrypts data encrypted with encryptByPassword().

See also encryptByPassword().

public boolean|string decryptByPassword ( $data, $password )
$data string

The encrypted data to decrypt

$password string

The password to use for decryption

return boolean|string

The decrypted data or false on authentication failure

                public function decryptByPassword($data, $password)
{
    return $this->decrypt($data, true, $password, null);
}

            
detachBehavior() public method

Defined in: yii\base\Component::detachBehavior()

Detaches a behavior from the component.

The behavior's yii\base\Behavior::detach() method will be invoked.

public yii\base\Behavior|null detachBehavior ( $name )
$name string

The behavior's name.

return yii\base\Behavior|null

The detached behavior. Null if the behavior does not exist.

                public function detachBehavior($name)
{
    $this->ensureBehaviors();
    if (isset($this->_behaviors[$name])) {
        $behavior = $this->_behaviors[$name];
        unset($this->_behaviors[$name]);
        $behavior->detach();
        return $behavior;
    }
    return null;
}

            
detachBehaviors() public method

Defined in: yii\base\Component::detachBehaviors()

Detaches all behaviors from the component.

public void detachBehaviors ( )

                public function detachBehaviors()
{
    $this->ensureBehaviors();
    foreach ($this->_behaviors as $name => $behavior) {
        $this->detachBehavior($name);
    }
}

            
encrypt() protected method

Encrypts data.

See also decrypt().

protected string encrypt ( $data, $passwordBased, $secret, $info )
$data string

Data to be encrypted

$passwordBased boolean

Set true to use password-based key derivation

$secret string

The encryption password or key

$info string|null

Context/application specific information, e.g. a user ID See RFC 5869 Section 3.2 for more details.

return string

The encrypted data as byte string

throws yii\base\InvalidConfigException

on OpenSSL not loaded

throws yii\base\Exception

on OpenSSL error

                protected function encrypt($data, $passwordBased, $secret, $info)
{
    if (!extension_loaded('openssl')) {
        throw new InvalidConfigException('Encryption requires the OpenSSL PHP extension');
    }
    if (!isset($this->allowedCiphers[$this->cipher][0], $this->allowedCiphers[$this->cipher][1])) {
        throw new InvalidConfigException($this->cipher . ' is not an allowed cipher');
    }
    list($blockSize, $keySize) = $this->allowedCiphers[$this->cipher];
    $keySalt = $this->generateRandomKey($keySize);
    if ($passwordBased) {
        $key = $this->pbkdf2($this->kdfHash, $secret, $keySalt, $this->derivationIterations, $keySize);
    } else {
        $key = $this->hkdf($this->kdfHash, $secret, $keySalt, $info, $keySize);
    }
    $iv = $this->generateRandomKey($blockSize);
    $encrypted = openssl_encrypt($data, $this->cipher, $key, OPENSSL_RAW_DATA, $iv);
    if ($encrypted === false) {
        throw new \yii\base\Exception('OpenSSL failure on encryption: ' . openssl_error_string());
    }
    $authKey = $this->hkdf($this->kdfHash, $key, null, $this->authKeyInfo, $keySize);
    $hashed = $this->hashData($iv . $encrypted, $authKey);
    /*
     * Output: [keySalt][MAC][IV][ciphertext]
     * - keySalt is KEY_SIZE bytes long
     * - MAC: message authentication code, length same as the output of MAC_HASH
     * - IV: initialization vector, length $blockSize
     */
    return $keySalt . $hashed;
}

            
encryptByKey() public method

Encrypts data using a cryptographic key.

Derives keys for encryption and authentication from the input key using HKDF and a random salt, which is very fast relative to encryptByPassword(). The input key must be properly random -- use generateRandomKey() to generate keys. The encrypted data includes a keyed message authentication code (MAC) so there is no need to hash input or output data.

See also:

public string encryptByKey ( $data, $inputKey, $info null )
$data string

The data to encrypt

$inputKey string

The input to use for encryption and authentication

$info string|null

Optional context and application specific information, see hkdf()

return string

The encrypted data as byte string

                public function encryptByKey($data, $inputKey, $info = null)
{
    return $this->encrypt($data, false, $inputKey, $info);
}

            
encryptByPassword() public method

Encrypts data using a password.

Derives keys for encryption and authentication from the password using PBKDF2 and a random salt, which is deliberately slow to protect against dictionary attacks. Use encryptByKey() to encrypt fast using a cryptographic key rather than a password. Key derivation time is determined by $derivationIterations, which should be set as high as possible. The encrypted data includes a keyed message authentication code (MAC) so there is no need to hash input or output data. > Note: Avoid encrypting with passwords wherever possible. Nothing can protect against poor-quality or compromised passwords.

See also:

public string encryptByPassword ( $data, $password )
$data string

The data to encrypt

$password string

The password to use for encryption

return string

The encrypted data as byte string

                public function encryptByPassword($data, $password)
{
    return $this->encrypt($data, true, $password, null);
}

            
ensureBehaviors() public method

Defined in: yii\base\Component::ensureBehaviors()

Makes sure that the behaviors declared in behaviors() are attached to this component.

public void ensureBehaviors ( )

                public function ensureBehaviors()
{
    if ($this->_behaviors === null) {
        $this->_behaviors = [];
        foreach ($this->behaviors() as $name => $behavior) {
            $this->attachBehaviorInternal($name, $behavior);
        }
    }
}

            
generatePasswordHash() public method

Generates a secure hash from a password and a random salt.

The generated hash can be stored in database. Later when a password needs to be validated, the hash can be fetched and passed to validatePassword(). For example,

// generates the hash (usually done during user registration or when the password is changed)
$hash = Yii::$app->getSecurity()->generatePasswordHash($password);
// ...save $hash in database...

// during login, validate if the password entered is correct using $hash fetched from database
if (Yii::$app->getSecurity()->validatePassword($password, $hash)) {
    // password is good
} else {
    // password is bad
}

See also validatePassword().

public string generatePasswordHash ( $password, $cost null )
$password string

The password to be hashed.

$cost integer|null

Cost parameter used by the Blowfish hash algorithm. The higher the value of cost, the longer it takes to generate the hash and to verify a password against it. Higher cost therefore slows down a brute-force attack. For best protection against brute-force attacks, set it to the highest value that is tolerable on production servers. The time taken to compute the hash doubles for every increment by one of $cost.

return string

The password hash string. When $passwordHashStrategy is set to 'crypt', the output is always 60 ASCII characters, when set to 'password_hash' the output length might increase in future versions of PHP (https://www.php.net/manual/en/function.password-hash.php)

throws yii\base\Exception

on bad password parameter or cost parameter.

                public function generatePasswordHash($password, $cost = null)
{
    if ($cost === null) {
        $cost = $this->passwordHashCost;
    }
    if (function_exists('password_hash')) {
        /* @noinspection PhpUndefinedConstantInspection */
        return password_hash($password, PASSWORD_DEFAULT, ['cost' => $cost]);
    }
    $salt = $this->generateSalt($cost);
    $hash = crypt($password, $salt);
    // strlen() is safe since crypt() returns only ascii
    if (!is_string($hash) || strlen($hash) !== 60) {
        throw new Exception('Unknown error occurred while generating hash.');
    }
    return $hash;
}

            
generateRandomKey() public method

Generates specified number of random bytes.

Note that output may not be ASCII.

See also generateRandomString() if you need a string.

public string generateRandomKey ( $length 32 )
$length integer

The number of bytes to generate

return string

The generated random bytes

throws yii\base\InvalidArgumentException

if wrong length is specified

throws yii\base\Exception

on failure.

                public function generateRandomKey($length = 32)
{
    if (!is_int($length)) {
        throw new InvalidArgumentException('First parameter ($length) must be an integer');
    }
    if ($length < 1) {
        throw new InvalidArgumentException('First parameter ($length) must be greater than 0');
    }
    return random_bytes($length);
}

            
generateRandomString() public method

Generates a random string of specified length.

The string generated matches [A-Za-z0-9_-]+ and is transparent to URL-encoding.

public string generateRandomString ( $length 32 )
$length integer

The length of the key in characters

return string

The generated random key

throws yii\base\Exception

on failure.

                public function generateRandomString($length = 32)
{
    if (!is_int($length)) {
        throw new InvalidArgumentException('First parameter ($length) must be an integer');
    }
    if ($length < 1) {
        throw new InvalidArgumentException('First parameter ($length) must be greater than 0');
    }
    $bytes = $this->generateRandomKey($length);
    return substr(StringHelper::base64UrlEncode($bytes), 0, $length);
}

            
generateSalt() protected method

Generates a salt that can be used to generate a password hash.

The PHP crypt() built-in function requires, for the Blowfish hash algorithm, a salt string in a specific format: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".

protected string generateSalt ( $cost 13 )
$cost integer

The cost parameter

return string

The random salt value.

throws yii\base\InvalidArgumentException

if the cost parameter is out of the range of 4 to 31.

                protected function generateSalt($cost = 13)
{
    $cost = (int) $cost;
    if ($cost < 4 || $cost > 31) {
        throw new InvalidArgumentException('Cost must be between 4 and 31.');
    }
    // Get a 20-byte random string
    $rand = $this->generateRandomKey(20);
    // Form the prefix that specifies Blowfish (bcrypt) algorithm and cost parameter.
    $salt = sprintf('$2y$%02d$', $cost);
    // Append the random salt data in the required base64 format.
    $salt .= str_replace('+', '.', substr(base64_encode($rand), 0, 22));
    return $salt;
}

            
getBehavior() public method

Defined in: yii\base\Component::getBehavior()

Returns the named behavior object.

public yii\base\Behavior|null getBehavior ( $name )
$name string

The behavior name

return yii\base\Behavior|null

The behavior object, or null if the behavior does not exist

                public function getBehavior($name)
{
    $this->ensureBehaviors();
    return isset($this->_behaviors[$name]) ? $this->_behaviors[$name] : null;
}

            
getBehaviors() public method

Defined in: yii\base\Component::getBehaviors()

Returns all behaviors attached to this component.

public yii\base\Behavior[] getBehaviors ( )
return yii\base\Behavior[]

List of behaviors attached to this component

                public function getBehaviors()
{
    $this->ensureBehaviors();
    return $this->_behaviors;
}

            
hasEventHandlers() public method

Defined in: yii\base\Component::hasEventHandlers()

Returns a value indicating whether there is any handler attached to the named event.

public boolean hasEventHandlers ( $name )
$name string

The event name

return boolean

Whether there is any handler attached to the event.

                public function hasEventHandlers($name)
{
    $this->ensureBehaviors();
    if (!empty($this->_events[$name])) {
        return true;
    }
    foreach ($this->_eventWildcards as $wildcard => $handlers) {
        if (!empty($handlers) && StringHelper::matchWildcard($wildcard, $name)) {
            return true;
        }
    }
    return Event::hasHandlers($this, $name);
}

            
hasMethod() public method

Defined in: yii\base\Component::hasMethod()

Returns a value indicating whether a method is defined.

A method is defined if:

  • the class has a method with the specified name
  • an attached behavior has a method with the given name (when $checkBehaviors is true).
public boolean hasMethod ( $name, $checkBehaviors true )
$name string

The property name

$checkBehaviors boolean

Whether to treat behaviors' methods as methods of this component

return boolean

Whether the method is defined

                public function hasMethod($name, $checkBehaviors = true)
{
    if (method_exists($this, $name)) {
        return true;
    } elseif ($checkBehaviors) {
        $this->ensureBehaviors();
        foreach ($this->_behaviors as $behavior) {
            if ($behavior->hasMethod($name)) {
                return true;
            }
        }
    }
    return false;
}

            
hasProperty() public method

Defined in: yii\base\Component::hasProperty()

Returns a value indicating whether a property is defined for this component.

A property is defined if:

  • the class has a getter or setter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);
  • an attached behavior has a property of the given name (when $checkBehaviors is true).

See also:

public boolean hasProperty ( $name, $checkVars true, $checkBehaviors true )
$name string

The property name

$checkVars boolean

Whether to treat member variables as properties

$checkBehaviors boolean

Whether to treat behaviors' properties as properties of this component

return boolean

Whether the property is defined

                public function hasProperty($name, $checkVars = true, $checkBehaviors = true)
{
    return $this->canGetProperty($name, $checkVars, $checkBehaviors) || $this->canSetProperty($name, false, $checkBehaviors);
}

            
hashData() public method

Prefixes data with a keyed hash value so that it can later be detected if it is tampered.

There is no need to hash inputs or outputs of encryptByKey() or encryptByPassword() as those methods perform the task.

See also:

public string hashData ( $data, $key, $rawHash false )
$data string

The data to be protected

$key string

The secret key to be used for generating hash. Should be a secure cryptographic key.

$rawHash boolean

Whether the generated hash value is in raw binary format. If false, lowercase hex digits will be generated.

return string

The data prefixed with the keyed hash

throws yii\base\InvalidConfigException

when HMAC generation fails.

                public function hashData($data, $key, $rawHash = false)
{
    $hash = hash_hmac($this->macHash, $data, $key, $rawHash);
    if (!$hash) {
        throw new InvalidConfigException('Failed to generate HMAC with hash algorithm: ' . $this->macHash);
    }
    return $hash . $data;
}

            
hkdf() public method

Derives a key from the given input key using the standard HKDF algorithm.

Implements HKDF specified in RFC 5869. Recommend use one of the SHA-2 hash algorithms: sha224, sha256, sha384 or sha512.

public string hkdf ( $algo, $inputKey, $salt null, $info null, $length 0 )
$algo string

A hash algorithm supported by hash_hmac(), e.g. 'SHA-256'

$inputKey string

The source key

$salt string|null

The random salt

$info string|null

Optional info to bind the derived key material to application- and context-specific information, e.g. a user ID or API version, see RFC 5869

$length integer

Length of the output key in bytes. If 0, the output key is the length of the hash algorithm output.

return string

The derived key

throws yii\base\InvalidArgumentException

when HMAC generation fails.

                public function hkdf($algo, $inputKey, $salt = null, $info = null, $length = 0)
{
    if (function_exists('hash_hkdf')) {
        $outputKey = hash_hkdf((string)$algo, (string)$inputKey, $length, (string)$info, (string)$salt);
        if ($outputKey === false) {
            throw new InvalidArgumentException('Invalid parameters to hash_hkdf()');
        }
        return $outputKey;
    }
    $test = @hash_hmac($algo, '', '', true);
    if (!$test) {
        throw new InvalidArgumentException('Failed to generate HMAC with hash algorithm: ' . $algo);
    }
    $hashLength = StringHelper::byteLength($test);
    if (is_string($length) && preg_match('{^\d{1,16}$}', $length)) {
        $length = (int) $length;
    }
    if (!is_int($length) || $length < 0 || $length > 255 * $hashLength) {
        throw new InvalidArgumentException('Invalid length');
    }
    $blocks = $length !== 0 ? ceil($length / $hashLength) : 1;
    if ($salt === null) {
        $salt = str_repeat("\0", $hashLength);
    }
    $prKey = hash_hmac($algo, $inputKey, $salt, true);
    $hmac = '';
    $outputKey = '';
    for ($i = 1; $i <= $blocks; $i++) {
        $hmac = hash_hmac($algo, $hmac . $info . chr($i), $prKey, true);
        $outputKey .= $hmac;
    }
    if ($length !== 0) {
        $outputKey = StringHelper::byteSubstr($outputKey, 0, $length);
    }
    return $outputKey;
}

            
init() public method

Defined in: yii\base\BaseObject::init()

Initializes the object.

This method is invoked at the end of the constructor after the object is initialized with the given configuration.

public void init ( )

                public function init()
{
}

            
maskToken() public method (available since version 2.0.12)

Masks a token to make it uncompressible.

Applies a random mask to the token and prepends the mask used to the result making the string always unique. Used to mitigate BREACH attack by randomizing how token is outputted on each request.

public string maskToken ( $token )
$token string

An unmasked token.

return string

A masked token.

                public function maskToken($token)
{
    // The number of bytes in a mask is always equal to the number of bytes in a token.
    $mask = $this->generateRandomKey(StringHelper::byteLength($token));
    return StringHelper::base64UrlEncode($mask . ($mask ^ $token));
}

            
off() public method

Defined in: yii\base\Component::off()

Detaches an existing event handler from this component.

This method is the opposite of on().

Note: in case wildcard pattern is passed for event name, only the handlers registered with this wildcard will be removed, while handlers registered with plain names matching this wildcard will remain.

See also on().

public boolean off ( $name, $handler null )
$name string

Event name

$handler callable|null

The event handler to be removed. If it is null, all handlers attached to the named event will be removed.

return boolean

If a handler is found and detached

                public function off($name, $handler = null)
{
    $this->ensureBehaviors();
    if (empty($this->_events[$name]) && empty($this->_eventWildcards[$name])) {
        return false;
    }
    if ($handler === null) {
        unset($this->_events[$name], $this->_eventWildcards[$name]);
        return true;
    }
    $removed = false;
    // plain event names
    if (isset($this->_events[$name])) {
        foreach ($this->_events[$name] as $i => $event) {
            if ($event[0] === $handler) {
                unset($this->_events[$name][$i]);
                $removed = true;
            }
        }
        if ($removed) {
            $this->_events[$name] = array_values($this->_events[$name]);
            return true;
        }
    }
    // wildcard event names
    if (isset($this->_eventWildcards[$name])) {
        foreach ($this->_eventWildcards[$name] as $i => $event) {
            if ($event[0] === $handler) {
                unset($this->_eventWildcards[$name][$i]);
                $removed = true;
            }
        }
        if ($removed) {
            $this->_eventWildcards[$name] = array_values($this->_eventWildcards[$name]);
            // remove empty wildcards to save future redundant regex checks:
            if (empty($this->_eventWildcards[$name])) {
                unset($this->_eventWildcards[$name]);
            }
        }
    }
    return $removed;
}

            
on() public method

Defined in: yii\base\Component::on()

Attaches an event handler to an event.

The event handler must be a valid PHP callback. The following are some examples:

function ($event) { ... }         // anonymous function
[$object, 'handleClick']          // $object->handleClick()
['Page', 'handleClick']           // Page::handleClick()
'handleClick'                     // global function handleClick()

The event handler must be defined with the following signature,

function ($event)

where $event is an yii\base\Event object which includes parameters associated with the event.

Since 2.0.14 you can specify event name as a wildcard pattern:

$component->on('event.group.*', function ($event) {
    Yii::trace($event->name . ' is triggered.');
});

See also off().

public void on ( $name, $handler, $data null, $append true )
$name string

The event name

$handler callable

The event handler

$data mixed

The data to be passed to the event handler when the event is triggered. When the event handler is invoked, this data can be accessed via yii\base\Event::$data.

$append boolean

Whether to append new event handler to the end of the existing handler list. If false, the new handler will be inserted at the beginning of the existing handler list.

                public function on($name, $handler, $data = null, $append = true)
{
    $this->ensureBehaviors();
    if (strpos($name, '*') !== false) {
        if ($append || empty($this->_eventWildcards[$name])) {
            $this->_eventWildcards[$name][] = [$handler, $data];
        } else {
            array_unshift($this->_eventWildcards[$name], [$handler, $data]);
        }
        return;
    }
    if ($append || empty($this->_events[$name])) {
        $this->_events[$name][] = [$handler, $data];
    } else {
        array_unshift($this->_events[$name], [$handler, $data]);
    }
}

            
pbkdf2() public method

Derives a key from the given password using the standard PBKDF2 algorithm.

Implements HKDF2 specified in RFC 2898 Recommend use one of the SHA-2 hash algorithms: sha224, sha256, sha384 or sha512.

public string pbkdf2 ( $algo, $password, $salt, $iterations, $length 0 )
$algo string

A hash algorithm supported by hash_hmac(), e.g. 'SHA-256'

$password string

The source password

$salt string

The random salt

$iterations integer

The number of iterations of the hash algorithm. Set as high as possible to hinder dictionary password attacks.

$length integer

Length of the output key in bytes. If 0, the output key is the length of the hash algorithm output.

return string

The derived key

throws yii\base\InvalidArgumentException

when hash generation fails due to invalid params given.

                public function pbkdf2($algo, $password, $salt, $iterations, $length = 0)
{
    if (function_exists('hash_pbkdf2') && PHP_VERSION_ID >= 50500) {
        $outputKey = hash_pbkdf2($algo, $password, $salt, $iterations, $length, true);
        if ($outputKey === false) {
            throw new InvalidArgumentException('Invalid parameters to hash_pbkdf2()');
        }
        return $outputKey;
    }
    // todo: is there a nice way to reduce the code repetition in hkdf() and pbkdf2()?
    $test = @hash_hmac($algo, '', '', true);
    if (!$test) {
        throw new InvalidArgumentException('Failed to generate HMAC with hash algorithm: ' . $algo);
    }
    if (is_string($iterations) && preg_match('{^\d{1,16}$}', $iterations)) {
        $iterations = (int) $iterations;
    }
    if (!is_int($iterations) || $iterations < 1) {
        throw new InvalidArgumentException('Invalid iterations');
    }
    if (is_string($length) && preg_match('{^\d{1,16}$}', $length)) {
        $length = (int) $length;
    }
    if (!is_int($length) || $length < 0) {
        throw new InvalidArgumentException('Invalid length');
    }
    $hashLength = StringHelper::byteLength($test);
    $blocks = $length !== 0 ? ceil($length / $hashLength) : 1;
    $outputKey = '';
    for ($j = 1; $j <= $blocks; $j++) {
        $hmac = hash_hmac($algo, $salt . pack('N', $j), $password, true);
        $xorsum = $hmac;
        for ($i = 1; $i < $iterations; $i++) {
            $hmac = hash_hmac($algo, $hmac, $password, true);
            $xorsum ^= $hmac;
        }
        $outputKey .= $xorsum;
    }
    if ($length !== 0) {
        $outputKey = StringHelper::byteSubstr($outputKey, 0, $length);
    }
    return $outputKey;
}

            
shouldUseLibreSSL() protected method (available since version 2.0.36)

protected boolean shouldUseLibreSSL ( )
return boolean

If LibreSSL should be used Use version is 2.1.5 or higher.

                protected function shouldUseLibreSSL()
{
    if ($this->_useLibreSSL === null) {
        // Parse OPENSSL_VERSION_TEXT because OPENSSL_VERSION_NUMBER is no use for LibreSSL.
        // https://bugs.php.net/bug.php?id=71143
        $this->_useLibreSSL = defined('OPENSSL_VERSION_TEXT')
            && preg_match('{^LibreSSL (\d\d?)\.(\d\d?)\.(\d\d?)$}', OPENSSL_VERSION_TEXT, $matches)
            && (10000 * $matches[1]) + (100 * $matches[2]) + $matches[3] >= 20105;
    }
    return $this->_useLibreSSL;
}

            
trigger() public method

Defined in: yii\base\Component::trigger()

Triggers an event.

This method represents the happening of an event. It invokes all attached handlers for the event including class-level handlers.

public void trigger ( $name, yii\base\Event $event null )
$name string

The event name

$event yii\base\Event|null

The event instance. If not set, a default yii\base\Event object will be created.

                public function trigger($name, Event $event = null)
{
    $this->ensureBehaviors();
    $eventHandlers = [];
    foreach ($this->_eventWildcards as $wildcard => $handlers) {
        if (StringHelper::matchWildcard($wildcard, $name)) {
            $eventHandlers[] = $handlers;
        }
    }
    if (!empty($this->_events[$name])) {
        $eventHandlers[] = $this->_events[$name];
    }
    if (!empty($eventHandlers)) {
        $eventHandlers = call_user_func_array('array_merge', $eventHandlers);
        if ($event === null) {
            $event = new Event();
        }
        if ($event->sender === null) {
            $event->sender = $this;
        }
        $event->handled = false;
        $event->name = $name;
        foreach ($eventHandlers as $handler) {
            $event->data = $handler[1];
            call_user_func($handler[0], $event);
            // stop further handling if the event is handled
            if ($event->handled) {
                return;
            }
        }
    }
    // invoke class-level attached handlers
    Event::trigger($this, $name, $event);
}

            
unmaskToken() public method (available since version 2.0.12)

Unmasks a token previously masked by maskToken.

public string unmaskToken ( $maskedToken )
$maskedToken string

A masked token.

return string

An unmasked token, or an empty string in case of token format is invalid.

                public function unmaskToken($maskedToken)
{
    $decoded = StringHelper::base64UrlDecode($maskedToken);
    $length = StringHelper::byteLength($decoded) / 2;
    // Check if the masked token has an even length.
    if (!is_int($length)) {
        return '';
    }
    return StringHelper::byteSubstr($decoded, $length, $length) ^ StringHelper::byteSubstr($decoded, 0, $length);
}

            
validateData() public method

Validates if the given data is tampered.

See also hashData().

public string|false validateData ( $data, $key, $rawHash false )
$data string

The data to be validated. The data must be previously generated by hashData().

$key string

The secret key that was previously used to generate the hash for the data in hashData(). function to see the supported hashing algorithms on your system. This must be the same as the value passed to hashData() when generating the hash for the data.

$rawHash boolean

This should take the same value as when you generate the data using hashData(). It indicates whether the hash value in the data is in binary format. If false, it means the hash value consists of lowercase hex digits only. hex digits will be generated.

return string|false

The real data with the hash stripped off. False if the data is tampered.

throws yii\base\InvalidConfigException

when HMAC generation fails.

                public function validateData($data, $key, $rawHash = false)
{
    $test = @hash_hmac($this->macHash, '', '', $rawHash);
    if (!$test) {
        throw new InvalidConfigException('Failed to generate HMAC with hash algorithm: ' . $this->macHash);
    }
    $hashLength = StringHelper::byteLength($test);
    if (StringHelper::byteLength($data) >= $hashLength) {
        $hash = StringHelper::byteSubstr($data, 0, $hashLength);
        $pureData = StringHelper::byteSubstr($data, $hashLength, null);
        $calculatedHash = hash_hmac($this->macHash, $pureData, $key, $rawHash);
        if ($this->compareString($hash, $calculatedHash)) {
            return $pureData;
        }
    }
    return false;
}

            
validatePassword() public method

Verifies a password against a hash.

See also generatePasswordHash().

public boolean validatePassword ( $password, $hash )
$password string

The password to verify.

$hash string

The hash to verify the password against.

return boolean

Whether the password is correct.

throws yii\base\InvalidArgumentException

on bad password/hash parameters or if crypt() with Blowfish hash is not available.

                public function validatePassword($password, $hash)
{
    if (!is_string($password) || $password === '') {
        throw new InvalidArgumentException('Password must be a string and cannot be empty.');
    }
    if (!preg_match('/^\$2[axy]\$(\d\d)\$[\.\/0-9A-Za-z]{22}/', $hash, $matches)
        || $matches[1] < 4
        || $matches[1] > 30
    ) {
        throw new InvalidArgumentException('Hash is invalid.');
    }
    if (function_exists('password_verify')) {
        return password_verify($password, $hash);
    }
    $test = crypt($password, $hash);
    $n = strlen($test);
    if ($n !== 60) {
        return false;
    }
    return $this->compareString($test, $hash);
}