Facing Problem With Session Destroy And User Logout After Update

My Application is hosted on Amazon using AppFog service.

Every time when I update application then all logged in users automatically logs off!

And then after user tries to log-in again then the message appears:

[size="4"][b]Error 400[/b][/size]

	The CSRF token could not be verified.

Earlier I was using CCacheHttpSession but now I’m using CDbHttpSession and still this problem exists.

Here are component settings for session, user, and request in main.php:

'session' => array(

	//'class' => 'CCacheHttpSession',

	'class' => 'CDbHttpSession',

	'connectionID' => 'db',

	//'autoCreateSessionTable' => false,

	'cookieMode' => 'allow',

	'cookieParams' => array(

    	'domain' => '.peoplematters.in',

    	'httpOnly' => true,



'user' => array(

	'allowAutoLogin' => true, // Allows cookie-based authentication

	'autoRenewCookie' => true,

	'loginUrl' => array('/login'),

	'authTimeout' => 7200,

	'loginRequiredAjaxResponse' => 'sex', // Session Expired

	'identityCookie' => array(

    	'domain' => '.peoplematters.in'



'request' => array(

	'enableCookieValidation' => false,

	'enableCsrfValidation' => true,

	'csrfCookie' => array(

    	'domain' => '.peoplematters.in',



Please help me to solve this problem?


This maybe that session_id is changed when you update the app. This would log everyone off because their sesion _id is no longer valid.

also could




be fighting with each other?

I am not understanding, what do you want to say!!!

Please describe…

in config.php the ‘user’ under ‘components’ there is a options for ‘allowAutoLogin’. Setting it to false stops cookies, and only uses sessions.

Elsewhere in the log in process remove all references to ‘Remember Me’ from the login form, userIdentity, User::actionLogin()

But we need to keep user logged in until user want to log-out or a long time log-in expiry?

Session has a timeout setting that can be changed.

Increasing session time-out won’t remember user login for long time like 1 week or so.

And a week is not long enough? Then why require login at all? the user is not going to be at there computer continuously for a week (no sleep?) so anyone can sit down and do whatever under that logged in user.

Solved this problem by setting application id:

Set a application id to config in file config/main.php. e.g:

return array(

	'basePath' => dirname(__FILE__) . DIRECTORY_SEPARATOR . '..',

	'name' => 'People Matters',

	'id' => 'people_matters_media_pvt_ltd',  // <== YOU SHOULD ADD THIS

	// ...