Jump to content
Larry Ullman's Book Forums

Question Regarding Autologin And Saving Things To User With Setstate


saniko
 Share

Recommended Posts

Larry,

 

You mentioned that by adding the remember me/ auto login option, all user information gets saved to a cookie instead of a session. I loved reading about the security concern but wasn't sure about what to do with the risk. I was planning on using Yii::app()->session instead of Yii::app()->user->setState until I read the following thread on the Yii forum:

http://www.yiiframework.com/forum/index.php/topic/11858-security-implications-with-cwebuser/page__st__20

 

Based on this thread, anything using setState is not stored in a cookie even if auto login is true. Can you check and confirm this? If it is true, then it would be nice for your next update. Right now, I'm sure there are readers like me who panic about storing data in the user state when they really want to use the cookie based login option.

 

Thanks!

-saniko

Link to comment
Share on other sites

I've been sifting through the code and it seems very strange.  It looks like when you setState during authentication with UserIdentity, it saves to a cookie.  However, yii::app()-user->setState is different!  

 

Larry, I know you will be working on the documentation for this stuff.  They could really use your help here!  Hopefully in Yii 2 they will clarify what gets stored in a cookie and what does not.  Yii:app()->user->setState does not.  I think it's a good idea to use that function during login to securing store information in sessions rather than have any setState in UserIdentity.

 

I love this framework but there are places where they use the same terms for different ideas and blow my mind in a bad, bad way.

 

I kept autologin=true, but here is how I get user data into the session in LoginForm.php and avoid the dreaded cookie:

 

    public function login()
    {
        if($this->_identity===null)
        {
            $this->_identity=new UserIdentity($this->email_address,$this->password);
            $this->_identity->authenticate();
        }
        if($this->_identity->errorCode===UserIdentity::ERROR_NONE)
        {
            $duration=$this->rememberMe ? 3600*24*7 : 0; // 7 days
            Yii::app()->user->login($this->_identity,$duration);
            $member=Member::model()->findByAttributes(array('email_address'=>strtolower($this->email_address)));
            Yii::app()->user->setState('last_login_date', $member->last_login_date);
            Yii::app()->user->setState('id',$member->id);
            $member->updateByPk(Yii::app()->user->id, array('last_login_date'=>new CDbExpression ('UTC_TIMESTAMP()')));
            return true;
        }
        else
            return false;
    }
Link to comment
Share on other sites

  • 2 weeks later...

Larry,

 

Not really.  A suggestion here might be to include a note in future editions of the book that says that anything set in the Authenticate method of the UserIdentity method gets stored in a cookie.

 

However, if the items are saved to user state after authentication (which is the only real purpose of the autologin cookie), then they are not stored in a cookie.  For example, if I save items to the user via Yii::app()->user->setState('last_login_date', $model->field); during a login method of the LoginForm class, I still maintain the convenience of the autologin cookie but also the security of not saving information like the primary key etc. into the cookie.

 

Take care,

-saniko

Link to comment
Share on other sites

  • 2 weeks later...

After a lot of testing, I realized that I had a few more things wrong.  Here is a summary of what to consider:

  • The only way to save things to the auto-login cookie is by using setState in the UserIdentity authenticate method - using $this->setState('value', $valuetosave);
  • The auto-login cookie saves the state of the user being authenticated.  It DOES not require that they go in to any other controller/action but remembers that they have logged in.  This means that the system remembers nothing but the information you saved in the cookie and the fact that you have logged in

So this leaves you with a problem.  You don't want to save sensitive information in the cookie, but you do want to ensure that there is information about an authenticated user at all times. 

 

Here was my solution.  I saved one user-specific piece of information about the user into the cookie.  After that, I added the following item into the base controller in protected/components/Controller.php:

    public function init() {
        if (!Yii::app()->user->isGuest && !isset($valuecriticalforuser))
        {
            // load all needed information about user based on user-specific piece of information in autologin cookie
           // save that information into the user state including the $valuecriticalforuser
    }
 
There you go!  There are probably other ways to do this too, but I like this one.
Link to comment
Share on other sites

 Share

×
×
  • Create New...