Yii Framework Forum: Cookie-based auth and data storage - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Cookie-based auth and data storage Rate Topic: -----

#1 User is offline   ORey 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,701
  • Joined: 20-April 09
  • Location:Moscow, Russia

Posted 20 April 2009 - 02:45 PM

Hi. I'm new to YII and have some newbie questions.

I want users to stay logged in for a long time, so I enabled allowAutoLogin in config. But as it is said in docs, this causes all session data to be stored in cookies, right? What if I want to store large piece of data in session?
Is there a way to enable auto-login but store data in php session files?

The docs also warn about storing senstive data in cookies. How about storing user's group id (for example, 'admin')? Is there a way user can modify his own cookies thus changing his group or ID? Is there some protecting algorithm for cookies?

How can I force certain users to logout (for example, if administrator wants to disable or delete them)?

Thanks in advance.
0

#2 User is offline   will 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 179
  • Joined: 21-March 09

Posted 20 April 2009 - 04:09 PM

In this case, you should use CHttpSession, which is using server side session handling, you can override it to support customized session storage, like DB.
0

#3 User is offline   qiang 

  • Yii Project Lead
  • Yii
  • Group: Yii Dev Team
  • Posts: 5,901
  • Joined: 04-October 08
  • Location:DC, USA

Posted 20 April 2009 - 04:12 PM

When you enable cookie-based login, only those information you store as "states" in user identity will be stored in cookie. Other session data remain in session storage (on the server side).

The login cookie is protected from being modified by end users. If it is modified, it will be treated as invalid. However, end users can still read contents in the cookie. That's why it is warned that you should not put sensitive data (e.g. password) in the cookie.


0

#4 User is offline   ORey 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,701
  • Joined: 20-April 09
  • Location:Moscow, Russia

Posted 22 April 2009 - 09:43 AM

Thanks a lot!
Here's another question, though.

I want to use some data from DB during user's authentication, for example:
- check if user still exists in DB
- check if user is not disabled
- store some DB data to user's php session.

It can be easily done in UserIdentity::authenticate(), but if autologin feature is on, CWebUser::restoreFromCookie() is used instead of form login routine.

It seems to me I need to extend CWebUser class, right? But I'm not sure what function should I extend. changeIdentity?

What's the best way?
0

#5 User is offline   qiang 

  • Yii Project Lead
  • Yii
  • Group: Yii Dev Team
  • Posts: 5,901
  • Joined: 04-October 08
  • Location:DC, USA

Posted 22 April 2009 - 09:48 AM

Yes, you need to override restoreFromCookie.
0

#6 User is offline   ORey 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,701
  • Joined: 20-April 09
  • Location:Moscow, Russia

Posted 22 April 2009 - 10:51 AM

Thanks again!

Now I've added one function to UserIdentity:

Quote

public function authenticateByCookie() {

$user = User::model()->findByAttributes(array(

'id' => $this->username,

'is_disabled' => 0

));

if ($user === null) {

$this->errorCode = self::ERROR_UNKNOWN_IDENTITY;

} else {

$this->_id = $user->id;

$this->errorCode = self::ERROR_NONE;

$this->afterAuth($user); // here we post-process user's data



}

return !$this->errorCode;

}


and extended CWebUser like this:

Quote

class WebUser extends CWebUser {

protected function restoreFromCookie() {

$app = Yii::app();

$cookie=$app->getRequest()->getCookies()->itemAt($this->getStateKeyPrefix());

if ($cookie && !empty($cookie->value) && ($data = $app->getSecurityManager()->validateData($cookie->value)) !== false) {

$data = unserialize($data);

if (isset($data[0],$data[1],$data[2])) {

list($id, $name, $states) = $data;

$identity = new UserIdentity($id, '');

$identity->authenticateByCookie();

switch ($identity->errorCode) {

case UserIdentity::ERROR_NONE:

$this->changeIdentity($id, $name, $states);

break;

default:

# maybe I should call logout() here too

throw new CHttpException(401, Yii::t('yii','Unknown Identity'));

break;

}



}

}

}

}


Everything is working now!
Just want to know if I'm wrong somewhere, or there's a better way.

0

#7 User is offline   qiang 

  • Yii Project Lead
  • Yii
  • Group: Yii Dev Team
  • Posts: 5,901
  • Joined: 04-October 08
  • Location:DC, USA

Posted 22 April 2009 - 11:38 AM

Looks good to me.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users