I’ve taken on the task of converting an existing project to the Yii framework. Although I’ve been only using it for a week, I like Yii a lot. Symfony is the other framework I’ve tried, and it seemed too complicated for what I needed to do (also: YAML is annoying.) The Gii tool and Yii’s integration with jQuery finally sold me on the idea of converting this existing (though unpolished) project from pure php/jQuery over to Yii.
With that said, I wanted to throw out a few questions. Please forgive me if they have very obvious answers.
(1) The existing project (EP for short) defined two kinds of authenticated users – limited and unlimited. Along with user names and passwords, the user table in the database contains a boolean flag for whether a user is limited or not.
To implement this in Yii, I constructed a static function in my user model which returns all the unlimited users in the database in an array. Then, in my controller rules, for actions that only unlimited users can perform, I specify: ‘users’ => tblUser::getUnlimitedUsers.
For actions that both limited and unlimited users can perform, I simply specify ‘users’ => array(’@’), because both limited and unlimited users will be authenticated against the database (that code is already written and works wonderfully, but I need to have different user levels.)
My question is: is this a safe, effective way of distinguishing between my two classes of authenticated users? Or should I turn to a more Yii-centric approach, whatever that means?
(2) In the EP, I use the database for session management. All session vars for users are stored in the database, rather than in an unprotected space on the server (the EP is on a shared host.) Thus, when a user is authenticated, a record is made in the database itself, and when a session var is fetched, it is fetched from the database. To do this, I override the default php session methods.
My reason for doing this was a worry that other people sharing host space on the same machine would be able to look at the session variables and that this was unacceptable from a security perspective.
My question is: (a) am I just paranoid?, and ( b ) is there a way to make Yii store session information in the database?
Those are two issues I’ve encountered in adapting the EP to Yii. Any feedback would be greatly welcomed, especially from someone who has taken on a similar challenge.
Okay, I found CDbHttpSession. So that takes care of part b of the second question. Still, am I just being paranoid?