Storing sensible information in session

Hello all,

I need to store some sensible information related to the user to be retrieved very quickly each time the user makes a request. My first thougth was to put it with the session with setState() method and avoid to do a request to the User table each time, but if I active allowAutoLogin then this information is stored in the cookie and can be viewed and changed by the user.

Is there possible to configure something to store this information in the session but not store it in the cookie?

What is the best approach to do something like this? I was thinking in some cache mechanism or encrypt that value in the cookie…



What kind of information do you talking about? If you only wanna display this data for the user it’s not terrible if the user change this informations. If you are planning for further using these information in your SQL queries so yes - it’s not safely in this case and changing the cookies by user may lead to undesired results. But what for to store the data in cookies in this case? You will call to database for change any data for user anyway, so why not to call to the User table and retrieve needed parameters from here?

Thanks for the responses,

Horacio, I tested that solution but it requires to do a query to DB each time the user makes a request and it’s what I want to avoid.

Frantic, the info I want to store defines the next queries to the DB, so if the user change it he will be able to access data is not allow to see. So is very important it can be retrieved quickly and not be changed by user.

What’s the best way to solve the problem? sessions, caches, cypher params in cookies… Thanks in advance.



Why don’t you simply use Yii::app()->session?

cook 60, is just a (very good) example

you can add all the functions you want to WebUser component

and you’re wrong if you mean “loadUser”

queries only

if ($ this-> _model === null)

(sorry for mi english)

Mike, thank you very much for your response I have tested to store in the session variable and is working fine, accordig what I watched with firebug what I store in the session variable (Yii::app()->session[‘myvar’] = ‘myvalue’) is never stored in the client side so it’s completly sure to store it there. I would be pleased if you could confirm it.

Horacio, I’m not sure what you are trying to say me, between two different HTTP requests I think is impossible to me retrieve the data without making an other request to the DB. If you could put an example would be great.

Thanks you very much.


Sometimes solutions are easier than they look ;)


this is true?

Yes. Sessions are kept on server only. User state data is stored in cookie (client) if autoLogin is true.