saniko Posted December 1, 2013 Share Posted December 1, 2013 Larry, You mentioned that by adding the remember me/ auto login option, all user information gets saved to a cookie instead of a session. I loved reading about the security concern but wasn't sure about what to do with the risk. I was planning on using Yii::app()->session instead of Yii::app()->user->setState until I read the following thread on the Yii forum: http://www.yiiframework.com/forum/index.php/topic/11858-security-implications-with-cwebuser/page__st__20 Based on this thread, anything using setState is not stored in a cookie even if auto login is true. Can you check and confirm this? If it is true, then it would be nice for your next update. Right now, I'm sure there are readers like me who panic about storing data in the user state when they really want to use the cookie based login option. Thanks! -saniko Link to comment Share on other sites More sharing options...
saniko Posted December 2, 2013 Author Share Posted December 2, 2013 I've been sifting through the code and it seems very strange. It looks like when you setState during authentication with UserIdentity, it saves to a cookie. However, yii::app()-user->setState is different! Larry, I know you will be working on the documentation for this stuff. They could really use your help here! Hopefully in Yii 2 they will clarify what gets stored in a cookie and what does not. Yii:app()->user->setState does not. I think it's a good idea to use that function during login to securing store information in sessions rather than have any setState in UserIdentity. I love this framework but there are places where they use the same terms for different ideas and blow my mind in a bad, bad way. I kept autologin=true, but here is how I get user data into the session in LoginForm.php and avoid the dreaded cookie: public function login() { if($this->_identity===null) { $this->_identity=new UserIdentity($this->email_address,$this->password); $this->_identity->authenticate(); } if($this->_identity->errorCode===UserIdentity::ERROR_NONE) { $duration=$this->rememberMe ? 3600*24*7 : 0; // 7 days Yii::app()->user->login($this->_identity,$duration); $member=Member::model()->findByAttributes(array('email_address'=>strtolower($this->email_address))); Yii::app()->user->setState('last_login_date', $member->last_login_date); Yii::app()->user->setState('id',$member->id); $member->updateByPk(Yii::app()->user->id, array('last_login_date'=>new CDbExpression ('UTC_TIMESTAMP()'))); return true; } else return false; } Link to comment Share on other sites More sharing options...
Larry Posted December 12, 2013 Share Posted December 12, 2013 Sorry for the delayed reply. Do you still need help with this? Link to comment Share on other sites More sharing options...
saniko Posted December 13, 2013 Author Share Posted December 13, 2013 Larry, Not really. A suggestion here might be to include a note in future editions of the book that says that anything set in the Authenticate method of the UserIdentity method gets stored in a cookie. However, if the items are saved to user state after authentication (which is the only real purpose of the autologin cookie), then they are not stored in a cookie. For example, if I save items to the user via Yii::app()->user->setState('last_login_date', $model->field); during a login method of the LoginForm class, I still maintain the convenience of the autologin cookie but also the security of not saving information like the primary key etc. into the cookie. Take care, -saniko Link to comment Share on other sites More sharing options...
saniko Posted December 22, 2013 Author Share Posted December 22, 2013 After a lot of testing, I realized that I had a few more things wrong. Here is a summary of what to consider: The only way to save things to the auto-login cookie is by using setState in the UserIdentity authenticate method - using $this->setState('value', $valuetosave); The auto-login cookie saves the state of the user being authenticated. It DOES not require that they go in to any other controller/action but remembers that they have logged in. This means that the system remembers nothing but the information you saved in the cookie and the fact that you have logged in So this leaves you with a problem. You don't want to save sensitive information in the cookie, but you do want to ensure that there is information about an authenticated user at all times. Here was my solution. I saved one user-specific piece of information about the user into the cookie. After that, I added the following item into the base controller in protected/components/Controller.php: public function init() { if (!Yii::app()->user->isGuest && !isset($valuecriticalforuser)) { // load all needed information about user based on user-specific piece of information in autologin cookie // save that information into the user state including the $valuecriticalforuser } There you go! There are probably other ways to do this too, but I like this one. Link to comment Share on other sites More sharing options...
Larry Posted December 27, 2013 Share Posted December 27, 2013 Kudos for figuring all that out and thanks for sharing what you've learned! Link to comment Share on other sites More sharing options...
Recommended Posts