I have some questions about authorization and security…
If I want to get current logged in username… how to do it in a secure way?
cause I dont get it… its looks like yii auth uses cookies…
for example
Cookie:
PHPSESSID: '1jsvugjgp4grtq5advaqmgn005'
f185a41e9706d817cff5ba66a50bfa4e: 'd03c4a132b406dcad261ad09224df787cdd6d1e3a:4:{i:0;s:1:"1";i:1;s:13:"administrator";i:2;i:2592000;i:3;a:2:{s:8:"username";s:13:"administrator";s:5:"group";N;}}'
but how can i be sure that some one dont change his own username via cookie?
When I wrote all manually - it was very simple… I used sessions, I knew it secure… but now I really don’t sure what happening behind the scene…
Also the auto login via cookie really scary…
Aspecially I would be happy to see example for
When a user successfully logs in by filling out a login form, we generate and store a random key in both the cookie state and in persistent storage on server side (e.g. database).
Upon a subsequent request, when the user authentication is being done via the cookie information, we compare the two copies of this random key and ensure a match before logging in the user.
If the user logs in via the login form again, the key needs to be re-generated.
from http://www.yiiframework.com/doc/guide/1.1/en/topics.auth
Dont get how works
protected function beforeLogin($id, $states, $fromCookie){
//$this->logout();
//exit;
file_put_contents(dirname(__FILE__) .'zz.php', $id);
return false;
}
this is allow me to login even if i return false