Hi. I'm new to YII and have some newbie questions.
I want users to stay logged in for a long time, so I enabled allowAutoLogin in config. But as it is said in docs, this causes all session data to be stored in cookies, right? What if I want to store large piece of data in session?
Is there a way to enable auto-login but store data in php session files?
The docs also warn about storing senstive data in cookies. How about storing user's group id (for example, 'admin')? Is there a way user can modify his own cookies thus changing his group or ID? Is there some protecting algorithm for cookies?
How can I force certain users to logout (for example, if administrator wants to disable or delete them)?
When you enable cookie-based login, only those information you store as "states" in user identity will be stored in cookie. Other session data remain in session storage (on the server side).
The login cookie is protected from being modified by end users. If it is modified, it will be treated as invalid. However, end users can still read contents in the cookie. That's why it is warned that you should not put sensitive data (e.g. password) in the cookie.