Interrupted sessions

I'd like to require a user to re-login after a timeout.  But I don't want to lose the session entirely; I want the session picked back up and to be redirected to the visited page using the same saved state as before (sort of like releasing from a password protected screen saver).

More ambitious, I might even like this behavior to survive a lost session cookie (presumably from closing browser) or a changed browser cookie (from another user logging in from the same computer and browser).  This would surely require saving something (a session id or the session state) in the user's table.

Any ideas on what would be the best way to implement either the less ambitious or the more ambitious plan?  Any thoughts on nasty security implications of the more ambitious plan?  Thanks in advance.

Okay, I’ve decided that the more ambitious plan is really not a good idea.  Just a goofy thought.  But I’d still like ideas about the less ambitious plan.

Actually, Yii already supports your 'less-ambitious plan'.

You can store all session vars in cookie.

Examples are here:

http://www.yiiframew…uide/form.model

http://www.yiiframew…guide/form.view

http://www.yiiframew…-identity-class

(see setState())

You can also override core functions to add some extra features.

Example is here:

http://www.yiiframew…30.html#msg9830

Sorry for the slow reply.  Thanks for the info.  The discussion you cite between yourself and Qiang had what I was missing.