what does this mean?

weina67 · December 20, 2011, 4:47pm

In the documentaiton it says:

In addition, for any serious Web applications, we recommend using the following strategy to enhance the security of cookie-based login.

When a user successfully logs in by filling out a login form, we generate and store a random key in both the cookie state and in persistent storage on server side (e.g. database).

Upon a subsequent request, when the user authentication is being done via the cookie information, we compare the two copies of this random key and ensure a match before logging in the user.

If the user logs in via the login form again, the key needs to be re-generated.

By using the above strategy, we eliminate the possibility that a user may re-use an old state cookie which may contain outdated state information.

To implement the above strategy, we need to override the following two methods:

CUserIdentity::authenticate(): this is where the real authentication is performed. If the user is authenticated, we should re-generate a new random key, and store it in the database as well as in the identity states via CBaseUserIdentity::setState.

CWebUser::beforeLogin(): this is called when a user is being logged in. We should check if the key obtained from the state cookie is the same as the one from the database.

Why are we including the check in the CWebUser::beforeLogin? Isn’t the new key just stored in the states at login?

What I am doing is the following:

in CUserIdentity::authenticate() I store a random key in the COOKIE and also in the database. Then I log in the USER.

every time the user checks a page on the site, I compare the random key IN THE COOKIE with that found in the database for that user ID. If there is no match, I logout the user. If there is a match, the user is able to access the page.

This is resource intensive though. Is there a better way to make sure Cookies are not faked or manipulated?

Why would we do the matching of keys in CWebUser::beforeLogin()? that makes no sense.