I have some difficulties understanding the way the login process needs to work .
First question is in the authenticate() method .
Let’s say i have something like:
public function authenticate()
{
if($this->username && $this->hashedPassword are not valid records)
{
$this->errorCode = 'Invalid login credentials';
}
else
{
$row='ROW data from database';
$this->_id=$row->user_id;//getId();
$this->_name=$row->username;//getName();
$this->errorCode = self::ERROR_NONE ;
}
return ! $this->errorCode;
}
Now, i know that $this->_id=‘Something’ and $this->_name=‘Something’ will be used by getId() and getName()
to set the state for later use in Yii::app()->user->
But, if i want to add more data here, what’s the correct approach? It is very confusing, because i can do something like :
$this->setState(key, value);//UserIdentity
//OR
CWebUser::setState(key, value);//Yii::app()->user->setState(key, value);
//OR
Yii::app()->session->add();
//and i believe that even $_SESSION[key]=value; will work .
I do understand that using, $this->setState() will prefix the data with a private key and using Yii::app()->session->add() will not prefix the data with the private key .
So why is that? When should i use one and when should i use other ?
Now, have in mind the following situation:
I have a shopping cart (no i don’t, but just to show the idea) and i use the database to store the sessions and i have auto login set to true because i want my customers not to lose their cart contents .
If i use Yii::app()->user->setState() will be a problem because the data will be copied into the cookie also and the cookie size is limited. If i use Yii::app()->session i can store how much i want, but what’s happening if the user has 100 items in the cart, then he closes his browser and he comes back after a few days ? He is logged in automatically, but the cart content is gone right ? So how can i avoid this ?
Finally, i know that cookie auto login is not too safe, but also i saw in the user guide :
LINK HERE
In addition, for any serious Web applications, we recommend using the following strategy to enhance the security of cookie-based login.
*
When a user successfully logs in by filling out a login form, we generate and store a random key in both the cookie state and in persistent storage on server side (e.g. database).
*
Upon a subsequent request, when the user authentication is being done via the cookie information, we compare the two copies of this random key and ensure a match before logging in the user.
*
If the user logs in via the login form again, the key needs to be re-generated.
By using the above strategy, we eliminate the possibility that a user may re-use an old state cookie which may contain outdated state information.
To implement the above strategy, we need to override the following two methods:
*
CUserIdentity::authenticate(): this is where the real authentication is performed. If the user is authenticated, we should re-generate a new random key, and store it in the database as well as in the identity states via CBaseUserIdentity::setState.
*
CWebUser::beforeLogin(): this is called when a user is being logged in. We should check if the key obtained from the state cookie is the same as the one from the database.
Has somebody tried this? If so, explaining a bit how to do it would be great because i really don’t get it.
Again, i am confused of phrases like :
When he says cookie state and persistent storage, what he means ?
I believe that something Yii::app()->user->setState(‘xyz’,‘secret token’), because a copy of the token is added to the cookie also, am i right ?
Another thing is :
Again, because i cannot understand the above lines, i can’t find a solution here.
I mean, yes, i extend CWebUser and overwrite beforeLogin and i use the new class
<?php
class MyCWebUser extends CWebUser{
public function beforeLogin()
{
if($this->allowAutoLogin)
{
$cookieToken='from where i retrieve this?';
$persistentToken='what about this ?';
return $cookie===$persistent;
}
return true;
}
}
But further i have no clue, so any idea would be great at this point.
Thanks in advance