Cookie validation issue

Hi, dear all!

I don’t know whether the problem I faced is to be decided a bug, that’s why I post it in a separate thread to discuss it. I reproduce this one with Yii 1.1.11-dev from and stable Yii 1.1.10. Seems to me that this old thread can also be relative to this problem.

These are the steps to reproduce:

  1. Use configuration file [font="Courier New"]protected/config/main.php[/font] from default installation of web application.

  2. Implement user’s authentication specifying positive [font=“Courier New”]$duration[/font] argument of [font=“Courier New”]CWebUser::login($identity, $duration=0)[/font].

  3. Log in on your website checking "Remember me".

  4. Close your browser.

  5. Edit [font="Courier New"]protected/config/main.php[/font] by adding the following lines to [font="Courier New"]components[/font] part:

'request' => array(

    'enableCookieValidation' => true


  1. Open your browser and run your website.

The result:

PHP warning

mb_strlen() expects parameter 1 to be string, array given.

and error 500 on production site.

Here is the callstack from [font="Courier New"]application.log[/font]:

2012/06/22 23:13:59 [error] [php] mb_strlen() expects parameter 1 to be string, array given (/home/n/nebullus/

Stack trace:

#0 /home/n/nebullus/ CSecurityManager->validateData()

#1 /home/n/nebullus/ WebUser->restoreFromCookie()

#2 /home/n/nebullus/ WebUser->init()

#3 /home/n/nebullus/ CWebApplication->getComponent()

#4 /home/n/nebullus/ CWebApplication->__get()

#5 /home/n/nebullus/ GalleryController->__construct()

#6 /home/n/nebullus/ GalleryController->__construct()

#7 /home/n/nebullus/ CWebApplication->createController()

#8 /home/n/nebullus/ CWebApplication->runController()

#9 /home/n/nebullus/ CWebApplication->processRequest()

#10 /home/n/nebullus/ CWebApplication->run()


Web server’s operating system: Kubuntu 12.04 LTS

PHP version: 5.3.10

Browser: any (tested with Mozilla Firefox, Google Chrome and IE8 on Windows XP).

The workaround is to clear browser’s cookies, and everything will work well. But it’s not a good idea to ask a user to clear his browser’s settings when I want to enable cookie validation.

Looks like a bug, application should not trust cookie content like this. Please report this issue on github and post a link here.

Dear, CeBe. Thank you for the reply.

I’ve opened an issue.