Storing Of User Informations In Session Vs. Cookies


I’m currently dealing with how Yii handles maintaining the user state. From what I’ve read so far, it seems like data stored in this way


is not represented in a cookie if cookies are allowed. On the other hand, if I use setState() of the UserIdentity class, this information gets stored in the cookie.

So, after reading that I decided to have a look at the class reference to confirm this. What I get here is that when CWebUser::login() is called and after beforeLogin() (which defaults to true), the changeIdentity method is invoked and the previously set parameters via CUserIdentity::setState() are copied. After confirming a valid duration for the cookie (and allowAutoLogin is enabled), the cookie is set with the information that was previously stored in CUserIdentity.

So, what I struggle to understand is the following. It makes perfect sense to me, that if I don’t set any values via CUserIdentity::setState(), the cookie does also have no user information (besides the ID and the name? Seems like this is stored by default). But on the other hand: If I’ve saved information previously with Yii::app()->user->setState(), isn’t changeIdentity() overwriting these values (with empty ones in this case)?

I’m glad if somebody could help me out here, I’m a bit lost in understanding this.

EDIT: after reviewing the code, I think regenerateID() is the crucial part I fail to understand in the changeIdentity() method. If so - can somebody enlighten me? From what I understand it seems like regenerateID() destroys the old session, meaning any previous set data via Yii::app()->user->setState() gets deleted anyway. Or does it rather duplicate all the previous entered and stored information of the old session in a new one before deleting the old one? Confusion’s growing :)

EDIT2: I think I’m being dumb here. Yii::app()->user->setState() stores the given information in a session, not the class variables. So I guess there is nothing like overwriting any previous data. If this is true, the question I’m left with now is if saveToCookie() always stores a (hashed) version of the user ID and name and whether it’s not better to prevent this?