Question: Doesn't all authentication require cookies? I know that if allowAutoLogin is false, Yii will use PHP sessions. Fine. But don't PHP sessions require cookies too? How can you have sessions without cookies?
Second question: I want to log off the user after either a specified amount of time or when he closes the browser. Can Yii's cookie authentication do that?
Not really. Authentication could be done in many ways. Do not confuse authentication with session. Each session has a unique ID, which could be stored in cookie so that the session can be maintained during multiple requests from the same user. The ID could also be stored in hidden field, URL, etc. At the same time, Web applications also maintain session data (could be much bigger in size than the session cookie) on the server. The session ID is used to be associated with the session data. By default, the session cookie gets deleted after a certain time limit or the user closes the browser, and thus the user loses his session (logout). By saying cookie-based authentication, we store some additional information in the cookie (e.g. user ID) and make the cookie to exist longer, even if the user closes the browser. The server-side session data will still be deleted after certain amount of time to save resource. When the user opens his browser again, the cookie is sent to the server which recognizes it and attempts to re-authenticate the user based on the cookie data.
I know the difference between authentication and session. I said authentication because that's the term you use in your default config file.
Does Yii actually offer non-cookie based sessions? I certainly haven't seen my site add anything special to the URL that would tell the server about a session.
I didn't see you address my second question (thanks for the help though). I assume that Yii cannot actually give me sessions that expire after closing the browser or XX minutes. I'll see if I can configure PHP sessions on the server. I might be able to do that.
All these session handling (e.g. non-cookie based session, session time limit, etc.) are handled by PHP. You may check the relevant PHP ini settings. Also check CHttpSession which encapsulates some session settings.
Looking at the PHP documentation it looks like what I want just isn’t possible. I want the cookie to expire either when the browser closes, or after 60 minutes.
I just know for sure that some of my users will close the browser and expect the session to log out, and I just know that other users will never close their browser. And since my users are teachers using public computers in schools, it is definitely a concern that the next person will be a student who will go to the site and change his marks.
Assuming you mean 60 mins of inactivity of the same session and that session cookies are deleted after browser closes. You can store a last activity time stamp in the session data and clean out session data that have elapsed 60 mins on a regular basis.