Jump to content
Larry Ullman's Book Forums

Sessions And Cookie-Based Authentication

Recommended Posts

Hi all!


I've followed the authentication tutorials here, but i wonder if Yii has a workaround for using both cookies and sessions for authentication. I want to allow use of the "remember me" button, but still save the roles, emails and such in sessions for security.


Acording to the yii-manual the CBaseUserIdentity::setState will use cookies if its enabled, and use sessions if its set to false.


Im thinking about a solution where you save a sha1($username $password) in the cookie, and make a method that gathers the other information in a auto-load-if-logged-in sort of way, but im not sure how secure it is, and if it might put to much unnessesary stress on the DB-server.


Anyone made anything like that work, or has any idea?


Edit: tags turned out wrong, cant seem to edit them. authentication spelled wrong, and also stuck together with cookies tag.

Link to post
Share on other sites

First, you absolutely should not store any representation of the username and password in a cookie. That's a very bad idea, security wise. Second, by default Yii uses sessions for storing data and uses a cookie to store the session ID.


But if you're worried about the session data not being maintained, then you could/should store it in a database and use a unique identifier that would be stored in the cookie. So you're on the right track, but just don't use the user's meaningful values (let alone the login values) in a cookie.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...