Cookie-based auth and data storage

Hi. I'm new to YII and have some newbie questions.

I want users to stay logged in for a long time, so I enabled allowAutoLogin in config. But as it is said in docs, this causes all session data to be stored in cookies, right? What if I want to store large piece of data in session?

Is there a way to enable auto-login but store data in php session files?

The docs also warn about storing senstive data in cookies. How about storing user's group id (for example, 'admin')? Is there a way user can modify his own cookies thus changing his group or ID? Is there some protecting algorithm for cookies?

How can I force certain users to logout (for example, if administrator wants to disable or delete them)?

Thanks in advance.

In this case, you should use CHttpSession, which is using server side session handling, you can override it to support customized session storage, like DB.

When you enable cookie-based login, only those information you store as "states" in user identity will be stored in cookie. Other session data remain in session storage (on the server side).

The login cookie is protected from being modified by end users. If it is modified, it will be treated as invalid. However, end users can still read contents in the cookie. That's why it is warned that you should not put sensitive data (e.g. password) in the cookie.

Thanks a lot!

Here's another question, though.

I want to use some data from DB during user's authentication, for example:

  • check if user still exists in DB

  • check if user is not disabled

  • store some DB data to user's php session.

It can be easily done in UserIdentity::authenticate(), but if autologin feature is on, CWebUser::restoreFromCookie() is used instead of form login routine.

It seems to me I need to extend CWebUser class, right? But I'm not sure what function should I extend. changeIdentity?

What's the best way?

Yes, you need to override restoreFromCookie.

Thanks again!

Now I've added one function to UserIdentity:


public function authenticateByCookie() {
	$user = User::model()->findByAttributes(array(

		'id' => $this->username,

		'is_disabled' => 0


	if ($user === null) {

		$this->errorCode = self::ERROR_UNKNOWN_IDENTITY;

	} else {

		$this->_id = $user->id;

		$this->errorCode = self::ERROR_NONE;

		$this->afterAuth($user); // here we post-process user's data


	return !$this->errorCode;


and extended CWebUser like this:


class WebUser extends CWebUser {
protected function restoreFromCookie() {

	$app = Yii::app();


	if ($cookie &amp;&amp; !empty($cookie-&gt;value) &amp;&amp; ($data = $app-&gt;getSecurityManager()-&gt;validateData($cookie-&gt;value)) !== false) {

		$data = unserialize($data);

		if (isset($data[0],$data[1],$data[2])) {

			list($id, $name, $states) = $data;

			$identity = new UserIdentity($id, &#039;&#039;);


			switch ($identity-&gt;errorCode) {

				case UserIdentity::ERROR_NONE:

					$this-&gt;changeIdentity($id, $name, $states);



					# maybe I should call logout() here too

					throw new CHttpException(401, Yii::t(&#039;yii&#039;,&#039;Unknown Identity&#039;));








Everything is working now!

Just want to know if I'm wrong somewhere, or there's a better way.

Looks good to me.