auth.php

I have some questions about authorization and security…

If I want to get current logged in username… how to do it in a secure way?

cause I dont get it… its looks like yii auth uses cookies…

for example


 Cookie:   

    PHPSESSID: '1jsvugjgp4grtq5advaqmgn005'

    f185a41e9706d817cff5ba66a50bfa4e: 'd03c4a132b406dcad261ad09224df787cdd6d1e3a:4:{i:0;s:1:"1";i:1;s:13:"administrator";i:2;i:2592000;i:3;a:2:{s:8:"username";s:13:"administrator";s:5:"group";N;}}'



but how can i be sure that some one dont change his own username via cookie?

When I wrote all manually - it was very simple… I used sessions, I knew it secure… but now I really don’t sure what happening behind the scene…

Also the auto login via cookie really scary…

Aspecially I would be happy to see example for




    When a user successfully logs in by filling out a login form, we generate and store a random key in both the cookie state and in persistent storage on server side (e.g. database).


    Upon a subsequent request, when the user authentication is being done via the cookie information, we compare the two copies of this random key and ensure a match before logging in the user.


    If the user logs in via the login form again, the key needs to be re-generated.



from http://www.yiiframework.com/doc/guide/1.1/en/topics.auth

Dont get how works


protected function beforeLogin($id, $states, $fromCookie){

		//$this->logout();

		//exit;

		file_put_contents(dirname(__FILE__) .'zz.php', $id);

		return false;

	}

this is allow me to login even if i return false

How are u saving a user name after sucessfull login?

Are u using session instead of cookie?

I don’t do manually anything…

I use UserIdentity

and I first saved username in setState

but if it saved in cookie, I dont sure its secure

for this i need beforelogin…

every time people write about it, but no real example of usage

I htink im starting to figure it out, beforelogin should be used in MyWU that extendsCWebUser…

But I don’t know how to handle “return false” in the cwebuser