Sessions and autologin


Can you explain why Yii uses two cookies (PHPSESSID and another one with user data) in case of autologin turned on?

Hi Angel,

The answer to your question is in section "3. Cookie-based Login" of, but may need further explaining.

The [font=“Courier New”]PHPSESSID[/font] cookie is generated by PHP’s session handling, which is, itself, called upon by Yii’s session handling. [font=“Courier New”]PHPSESSID[/font] stores the session ID that PHP uses to locate the persistent data stored in the $_SESSION (PHP defined) global array.

Whether autologin is turned on or not, Yii uses the PHP session mechanism to store information about the logged-in user (among which the fact the s/he is logged in!).

So, that explains the PHPSESSID cookie.

If autologin is turned off, when the user closes his/her browser, or after a certain amount of time (configured collaboratively by Yii and the PHP engine), the session data is destroyed, and thus, as a side effect, the memory of the user being logged-in is lost ==> in effect the user is logged-off.

The [font=“Courier New”]autologin[/font] feature is there to override this behaviour in case you don’t want users to explicitely login (“manually”, i.e. type in their user id and password) each time they access your WEB site. To do so, the information about the user being logged-in is stored in something “more permanent” than the PHP session: a cookie.

And that’s your second cookie.

I hope this helped…


I found this while i was searching the same topic…

Why Yii has to include username (email addres in my case) and user id in that cookie too? It can embed those into the serverside session like autologin=off. I don’t want email and id to be seen in the cookie data, but i want the autologin feature. No solutions? Nothing?