Under normal circumstances, the only thing in the client cookie is the session id. This cookie is, by default, called PHPSESSID when using PHP’s session mechanism. It is passed to the client in the HTTP header and sent on each request to uniquely identify the client to the server and allow for persistence between page visits.
The actual session data is stored only on the server (not in a client cookie) and controlled by your server side scripting code, so the security of that data is contingent upon the quality of security implemented on your server. The client sends an HTTP request, and PHP or Yii will read the cookie session id, and use that to associate that with the private server session data.
Anyway if I turn off allowAutoLogin, then that presumably turns off cookie usage. What if you want to use allowAutoLogin but store session data in a server session?
I prefer not to store any temporary data in a DB table.
Bump. Any thoughts anyone? What I’m saying is, I want to use allowAutoLogin - which will save the login in a cookie so that the user doesn’t keep getting logged out - but I want to store sensitive data (data stored via setState) in the server session (the way it does when you turn off allowAutoLogin). Can we do this?