In addition, for any serious Web applications, we recommend using the following strategy to enhance the security of cookie-based login.
Why are we including the check in the CWebUser::beforeLogin? Isn’t the new key just stored in the states at login?
What I am doing is the following:
in CUserIdentity::authenticate() I store a random key in the COOKIE and also in the database. Then I log in the USER.
every time the user checks a page on the site, I compare the random key IN THE COOKIE with that found in the database for that user ID. If there is no match, I logout the user. If there is a match, the user is able to access the page.
This is resource intensive though. Is there a better way to make sure Cookies are not faked or manipulated?
Why would we do the matching of keys in CWebUser::beforeLogin()? that makes no sense.