User ID in session data

I set up my UserIdentity class as per: http://www.yiiframework.com/wiki/6/

So in my app I now have lots of this:


$content=Content::model()->find('user_id=:user_id', array(':user_id'=>Yii::app()->user->id));

Now I know this user ID is being stored in the session, but does this mean it is being stored in a cookie?

And if so, that must mean it is easy to modify, so somebody could change the ID. How can I prevent these kind of things?

This seens to resolve, since it keeps its data in the database




'components'=>array(

//...

    	'session' => array(

        	'class' => 'system.web.CDbHttpSession',

        	'connectionID'=>'db',

    	),



I’m not after a DB session handler. I just want to know how to secure my User ID variable in normal session.

Under normal circumstances, the only thing in the client cookie is the session id. This cookie is, by default, called PHPSESSID when using PHP’s session mechanism. It is passed to the client in the HTTP header and sent on each request to uniquely identify the client to the server and allow for persistence between page visits.

The actual session data is stored only on the server (not in a client cookie) and controlled by your server side scripting code, so the security of that data is contingent upon the quality of security implemented on your server. The client sends an HTTP request, and PHP or Yii will read the cookie session id, and use that to associate that with the private server session data.

Hope this helps.

Thanks man. So I can still safely use ‘allowAutoLogin’?

Islands is right: that’s how it’s usually done. :)

I think the whole login and roles functionality of Yii is not very well implemented - just my personal opinion!

Having read this topic: http://www.yiiframework.com/forum/index.php?/topic/14903-a-few-questions-about-the-login-process/

Things are now more confusing!

Anyway if I turn off allowAutoLogin, then that presumably turns off cookie usage. What if you want to use allowAutoLogin but store session data in a server session?

I prefer not to store any temporary data in a DB table.

Bump. Any thoughts anyone? What I’m saying is, I want to use allowAutoLogin - which will save the login in a cookie so that the user doesn’t keep getting logged out - but I want to store sensitive data (data stored via setState) in the server session (the way it does when you turn off allowAutoLogin). Can we do this?