Be warned that the default implementation of CSecurityManager generates a validation key based on a random number. This key is used to hash the user identification & state cookie.
This will cause you a problem if you are running multiple installations of your application and expect users to be identified (using autoLogin) across any of the nodes. It won’t work, because the hashed cookie won’t validate on any installation other than the one that generated it!
The problem was missed by us at the crucial testing phase, because we only system test on a single webserver<–>DB tier. Then at deployment time, the same web application gets installed on multiple webservers, behind a load balancer. We found we were getting lots of feedback from frustrated users saying “Your site keeps forgetting who I am”. A lesson learnt
Our solution was simply to fix the validation key to a constant value, which is configured in an application startup hook (by subclassing CWebApplication), which calls Yii::app()->setGlobalState(CSecurityManager::STATE_VALIDATION_KEY, some_constant_value); This way, all nodes hash and decrypt with the same fixed entity, so cookies are readable by any regardless of which created it.