Jump to content
Larry Ullman's Book Forums

Sessions And Cookie-Based Authentication


Solid
 Share

Recommended Posts

Hi all!

 

I've followed the authentication tutorials here, but i wonder if Yii has a workaround for using both cookies and sessions for authentication. I want to allow use of the "remember me" button, but still save the roles, emails and such in sessions for security.

 

Acording to the yii-manual the CBaseUserIdentity::setState will use cookies if its enabled, and use sessions if its set to false.

 

Im thinking about a solution where you save a sha1($username $password) in the cookie, and make a method that gathers the other information in a auto-load-if-logged-in sort of way, but im not sure how secure it is, and if it might put to much unnessesary stress on the DB-server.

 

Anyone made anything like that work, or has any idea?

 

Edit: tags turned out wrong, cant seem to edit them. authentication spelled wrong, and also stuck together with cookies tag.

Link to comment
Share on other sites

First, you absolutely should not store any representation of the username and password in a cookie. That's a very bad idea, security wise. Second, by default Yii uses sessions for storing data and uses a cookie to store the session ID.

 

But if you're worried about the session data not being maintained, then you could/should store it in a database and use a unique identifier that would be stored in the cookie. So you're on the right track, but just don't use the user's meaningful values (let alone the login values) in a cookie.

Link to comment
Share on other sites

 Share

×
×
  • Create New...