dckurushin
(Diavolonok)
1
AutoLogin always sound scares to me 
The measures I take to ensure that all is ok:
- I had a token I put in db, and save it hashed in the state, and check it
also I check that the ip don’t changed and that the user_agent don’t changed
Is this make it secure?
samdark
(Alexander Makarov)
2
jacmoe
(Jacob Moena)
3
It would definitely benefit from cookie validation. 
Just know that you might run into trouble working against localhost - setup a virtual host then.
dckurushin
(Diavolonok)
4
'enableCookieValidation'=>true,
will validate all cookies… but how can I control it?
I don’t want to validate all the cookies… just the login one 
