Hi,
I’m currently dealing with how Yii handles maintaining the user state. From what I’ve read so far, it seems like data stored in this way
Yii:app()->user->setState()
is not represented in a cookie if cookies are allowed. On the other hand, if I use setState() of the UserIdentity class, this information gets stored in the cookie.
So, after reading that I decided to have a look at the class reference to confirm this. What I get here is that when CWebUser::login() is called and after beforeLogin() (which defaults to true), the changeIdentity method is invoked and the previously set parameters via CUserIdentity::setState() are copied. After confirming a valid duration for the cookie (and allowAutoLogin is enabled), the cookie is set with the information that was previously stored in CUserIdentity.
So, what I struggle to understand is the following. It makes perfect sense to me, that if I don’t set any values via CUserIdentity::setState(), the cookie does also have no user information (besides the ID and the name? Seems like this is stored by default). But on the other hand: If I’ve saved information previously with Yii::app()->user->setState(), isn’t changeIdentity() overwriting these values (with empty ones in this case)?
I’m glad if somebody could help me out here, I’m a bit lost in understanding this.
EDIT: after reviewing the code, I think regenerateID() is the crucial part I fail to understand in the changeIdentity() method. If so - can somebody enlighten me? From what I understand it seems like regenerateID() destroys the old session, meaning any previous set data via Yii::app()->user->setState() gets deleted anyway. Or does it rather duplicate all the previous entered and stored information of the old session in a new one before deleting the old one? Confusion’s growing 
EDIT2: I think I’m being dumb here. Yii::app()->user->setState() stores the given information in a session, not the class variables. So I guess there is nothing like overwriting any previous data. If this is true, the question I’m left with now is if saveToCookie() always stores a (hashed) version of the user ID and name and whether it’s not better to prevent this?