In my application i use the login mechanism from the base webapp. In my config i have allowAutoLogin set true for the user component. So i thought i would stay logged in for 30 days. But that’s not the case, i sometimes have to re-login multiple times a day.
I've checked the cookie, it's still present, even when i have to re-login again.
What am i doing wrong here?
I see, that cookie login only works, if the user still has the same IP address.
[code=CWebUser.php]if($address===$app->getRequest()->getUserHostAddress())
$this->changeIdentity($id,$name,$states);
[/code]
I understand that this gives some additional security, but isn't it a bit too rigid? I'd say, that most users come from dynamically assigned IPs that change every day. So by default, the "remember Me" feature will not work as expected for the majority of users. Shouldn't this be configurable, at least? Yes, i could use my own WebUser class, but i'd say, the framework should be configurable for such basic tasks.
Yeah, it may be inappropriate to compare IP addresses. Perhaps we should just remove this check. Any suggestion for other security measure?
I vote for removal. Just think about all the business travellers with their laptops. I’d have a hard time to explain, why “Remember me” doesn’t work on my applications. 
I can't think of better measures but i'm also not sure, why it could be a security risk if we allow different IPs.
Ok, removed. Thanks.
Check for user agent, it should not change since the cookies are stored by the browser.
I am developing a shopping mall program with Yii. and I like extra security feature like this. They don't use "Remember me" things for security critical program, like shopping cart. How about giving an option to Yii user, use it or not?
I removed this check mainly because using IP to check security is not reliable and will cause failures to some end users. The current cookie-based login is still secure without IP check. Do not worry.
@Wei:
I think user agent could also be problematic as it might change with (automatic) updates of the browser.
Quote
I think user agent could also be problematic as it might change with (automatic) updates of the browser.
That is a reasonable time to require a login. Browser updates are more likely to be between fairly large intervals, say 1 month or more. The remember me cookie should not last too long.
Again, i could live with that 
But i'm not sure, if we really gain that much more security by doing such a check.