Isn’t this most dangerous solution to store password in the cookie?
If the cookie will be stolen (physically or by some sniffer) then account will be compromised and hacker will have both user name and password.
Also this approach does not realy solves the problem (see below).
I thought the problem with cookie can be solved this way:
-
all user states are saved to the session
-
cookie contains only PHPSESSID
-
when we need autologin the user we open session and check if user ID is present
-
if we found user ID in the session then we automatically log user id
But I just reread some articles and manuals about PHP sessions and the problem with this approach is that session file can be destroyed before cookie is expired.
In this case we will get PHPSESSID from the cookie, but will not be able to get user state from the session.
Also this will break solution suggested by jonah - user name / password will be in the cookie, but no other saved user state will be available since session file is deleted.
PHP has two important session settings to control session lifetime:
The hidden problem here is that if we set session.gc_maxlifetime to some value, but do not change session.save_path then real session lifetime can be overriden by other application.
See details here and here.
So to keep session files as long as cookies we need to:
I think with such settings it should be possible to implement saving all states to the session and expose only PHPSESSID to the cookie.
But this leads to other problem: session files will exist on the server for long period of time and if we have many users then session files can take much disk space.
This way current yii’s implementation is good compromise:
-
if no cookie-based login is required then user data is stored in the session. This way you can notice sometimes that even without closing browser you can become logged off (because php deleted session file).
-
if we enable cookie-based login then all state is saved in the cookie so application is not depends any more from session lifetime. If session is deleted then new will be created and populated from the cookie.
And regarding current solution suggested by qiang (see here and here).
Maybe this solution can be implemented as part of yii core?