Security implications with CWebUser

I am new to Yii - so apologize if this is dumb question.

How does Yii do a cookie based login?

In the past when I have implemented Remember Me - we saved a token in a table in persistent store ( usually DB), and saved the token into a remember me cookie on client. When the user comes back to the site after session has expired for e.g. we look at the remember me cookie value, check DB - if it matches, replace the cookie value on client side with a new token and save a new token into same table on server.

I url decoded the cookie thats stored on the client and I am not able to see how Yii is logging me in. I will try to step through the code, but was wondering if someone knows this of the top.

The only file I can see on the server is a state.bin Is that whats being used to auto log me in?

== Update == the Identity class has beforelogin which is restoring from cookie if autoLogin is set. I figured I would leave this question in case its helpful to others.

Hello guys I am new in Yii framework and first of all what I am starting to do is creating user register/login system. I really want my system to be secure, but I found out that using cookies is not the safest method at all. So I have some suggestions that can be interesting, please remember that I am not professional PHP programer, so this suggestions can contain some bugs, but I think we will fix them.

As I understand when someone visits Yii website, first of all Yii tries to get the cookie and checks if it is already logged in. So why we can’t use database instead of cookies? What I mean is that we can have this fields in database:

  • ip

  • remember_me

  • latest_visit

So, why we can’t let Yii to check database instead of cookies? What I mean is that to let Yii check if guest ip == ip from db and remember_me == true, and latest_visit was not before 7 days. So instead of cookie validation using this method will be better. And after that let yii to do whatever it does after cookie validation.

What we will achieve is remember me method for non cookie enabled browsers, avoiding cookie stealing and making user login system more secure since every data will be stored in the server side and on the client side will not be stored anything.

So what do you think about it?

http://googlepublicp…s-personal.html