Sessions And Cookie-Based Authentication

[Solid 0]

Hi all!

 

I've followed the authentication tutorials here, but i wonder if Yii has a workaround for using both cookies and sessions for authentication. I want to allow use of the "remember me" button, but still save the roles, emails and such in sessions for security.

 

Acording to the yii-manual the CBaseUserIdentity::setState will use cookies if its enabled, and use sessions if its set to false.

 

Im thinking about a solution where you save a sha1($username $password) in the cookie, and make a method that gathers the other information in a auto-load-if-logged-in sort of way, but im not sure how secure it is, and if it might put to much unnessesary stress on the DB-server.

 

Anyone made anything like that work, or has any idea?

 

Edit: tags turned out wrong, cant seem to edit them. authentication spelled wrong, and also stuck together with cookies tag.

[Larry 428]

First, you absolutely should not store any representation of the username and password in a cookie. That's a very bad idea, security wise. Second, by default Yii uses sessions for storing data and uses a cookie to store the session ID.

 

But if you're worried about the session data not being maintained, then you could/should store it in a database and use a unique identifier that would be stored in the cookie. So you're on the right track, but just don't use the user's meaningful values (let alone the login values) in a cookie.