Identity And Auto Login

First, let me admit: I don’t like auto login. So my my opinion on this might be biased… But still…

I think the possibility/ feature of logging in a user automatically doesn’t have to do a lot with the concept and encapsulation of a user’s identity. So any chance to separate those two things into two interfaces instead of combining them in one?

I know that auto login is a frequent requirement, so to come up to that, the default web app’s user implementation could still implement both interfaces, user application component could still be configured to allow auto login. But it shouldn’t be a must have.

Basically whenever you reuse an existing userbase that doesn’t yet implement the concept of authKeys, you’re left with a couple of choices:

  • set up additional storage to extend the existing user data -> a lot of extra work if I basically don’t intend to use that feature.

  • don’t implement authKey methods (empty dummy implementation/ throwing “not implemented” exception) -> Feels wrong. If it doesn’t implement the whole interface, then it simply isn’t an implementation of the interface. Can’t be properly reused.

  • use the password as authKey -> Bad idea, isn’t it?

  • use a hash function to generate authKey from existing persistent user data -> yep, this seems to work. But the again: if it can be done in such a generic way, then why implement it for each and every interface implementation? It could as well be one implementation of the "auto login interface", which could then be reused for all "user identity interface" implementations.

This is really a topic for extensions to Yii, not Yii core, and especially not the demo application (which has to be simple).

But it is in the core. Identity and Autologin mixed in one interface. Used by the core user component.

You have a point that authKey doesn’t really belong to identity. The reason that we don’t separate them is mainly for simplicity: if you don’t use auto-login, you can still implement getAuthKey() and validateAuth(), but with exception or empty implementation. Most people will however implement all these.