Solid 0 Posted December 10, 2012 Report Share Posted December 10, 2012 Hi all! I've followed the authentication tutorials here, but i wonder if Yii has a workaround for using both cookies and sessions for authentication. I want to allow use of the "remember me" button, but still save the roles, emails and such in sessions for security. Acording to the yii-manual the CBaseUserIdentity::setState will use cookies if its enabled, and use sessions if its set to false. Im thinking about a solution where you save a sha1($username $password) in the cookie, and make a method that gathers the other information in a auto-load-if-logged-in sort of way, but im not sure how secure it is, and if it might put to much unnessesary stress on the DB-server. Anyone made anything like that work, or has any idea? Edit: tags turned out wrong, cant seem to edit them. authentication spelled wrong, and also stuck together with cookies tag. Quote Link to post Share on other sites
Larry 429 Posted December 10, 2012 Report Share Posted December 10, 2012 First, you absolutely should not store any representation of the username and password in a cookie. That's a very bad idea, security wise. Second, by default Yii uses sessions for storing data and uses a cookie to store the session ID. But if you're worried about the session data not being maintained, then you could/should store it in a database and use a unique identifier that would be stored in the cookie. So you're on the right track, but just don't use the user's meaningful values (let alone the login values) in a cookie. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.