a warning to those using Yii's built-in remember me login feature

The other day there was a bug going around in my clients website, but I couldn’t figure out how to reproduce it. It turned out that Yii’s default remember me feature stores all session data user “states” in a cookie. On my website, there was a whole lot of data stored in the session. So, when a user pressed ‘remember me’ when logging on, all of it was stored in a cookie. Apache didn’t like the large cookie and started giving strange errors at strange times.

So learn from my mistake - if you are storing lots of data in the session states, override CWebUser restoreToCookie() and saveToCookie()

Also, Yii’s default implementation of restoreToCookie() obviously does not authenticate the user with the database.

I recommend having it just store the user id and hashed password to the cookie. Then it can authenticate those values and store the rest of the data back in the session when the user comes back to the site.

Are you sure? CWebUser only stores the states from user identity to cookie, not all session data.

Yes, you may need to override restoreFromCookie if you want to authenticate against database. The default implementation uses HMAC to protect the cookie data from being modified on the client side (and thus prevent ID forgery.)

Ah, only the data in the states. The problem still could happen though… I’m not saying anything is wrong with the way Yii does this, I just wanted to warn people because it took me four days to figure out what was going wrong with my site after I set it to store a whole lot of data in the user states.

Good to know it uses HMAC too