Allow autoLogin and security

I need to implement 2 features:

  1. Allow users to log in automatically

  2. Restrict users to send not more, than 10 "tell a friend" messages.

I was using setState()/getState() for that. But that is insecure, one can substitute tafNum variable in cookie and spam. What can be done here? Where is it better so store such variables?

Additional question - how to control the session length? Is it possible to control max length and max inactivity length?

Information stored using setState() cannot be modified by users. If they do, the modification will be detected and the cookie will be invalidated.

Please refer to PHP doc for session-related configuration.

Just for reference for those who want to control session length:



Didn't want to start a new post on that, and saw the last comment here about the CHttpSession's timeout property, which is what i need.

I'm trying to change session timeout from default (1440) to let's say 86400.

The server runs on linux and hosts multiple sites so i need to change also session savepath to 'my path' to disallow default shorter gc from removing my session.

The only way i've managed to do that is by setting

php_admin_value session.gc_maxlifetime 86400

php_admin_value session.save_path /tmp/mysite

When I tried to change CHttpSession object properties it didn't give any results, the session object was changed only within the current request, and after redirect the session properties were still default (1440, /tmp).

Does someone know what did i forget or did wrong ?



ps. code i used was in the LoginForm authenticate handler function:



Just needed to alter the lifetime of session in my Yii app as well and saw this old thread. For what its worth, I’ve written a blog post on session lifetime configuration in PHP that is still relevant. I recommend its reading as it summarizes pretty much everything one need to know to fully and securely command his PHP web app session lifetime. Here’s the post.