I have great problem with Yii 1.1. I do a correct implementation of yii login functionnality. But i have one big problem: i use ids to detect intrusion, but if user connect him and active RememberMe, the application generated error. If i delete the rememberMe cookie stored in browser, the application work normally. Ids log in my database the following errors :
try to overwrite the CWebUser default cookie save/load functionality.
For example with base64_encode/decode:
<?php
# /protected/components/EWebUser.php
// Copy from the 1.1.15 CWebUser class
class EWebUser extends CWebUser
{
/**
* Populates the current user object with the information obtained from cookie.
* This method is used when automatic login ({@link allowAutoLogin}) is enabled.
* The user identity information is recovered from cookie.
* Sufficient security measures are used to prevent cookie data from being tampered.
* @see saveToCookie
*/
protected function restoreFromCookie()
{
$app=Yii::app();
$request=$app->getRequest();
$cookie=$request->getCookies()->itemAt($this->getStateKeyPrefix());
if($cookie && !empty($cookie->value) && is_string($cookie->value) && ($data=$app->getSecurityManager()->validateData($cookie->value))!==false)
{
$data=@unserialize(base64_decode($data));
if(is_array($data) && isset($data[0],$data[1],$data[2],$data[3]))
{
list($id,$name,$duration,$states)=$data;
if($this->beforeLogin($id,$states,true))
{
$this->changeIdentity($id,$name,$states);
if($this->autoRenewCookie)
{
$this->saveToCookie($duration);
}
$this->afterLogin(true);
}
}
}
}
/**
* Renews the identity cookie.
* This method will set the expiration time of the identity cookie to be the current time
* plus the originally specified cookie duration.
* @since 1.1.3
*/
protected function renewCookie()
{
$request=Yii::app()->getRequest();
$cookies=$request->getCookies();
$cookie=$cookies->itemAt($this->getStateKeyPrefix());
if($cookie && !empty($cookie->value) && ($data=Yii::app()->getSecurityManager()->validateData($cookie->value))!==false)
{
$data=@unserialize(base64_decode($data));
if(is_array($data) && isset($data[0],$data[1],$data[2],$data[3]))
{
$this->saveToCookie($data[2]);
}
}
}
/**
* Saves necessary user data into a cookie.
* This method is used when automatic login ({@link allowAutoLogin}) is enabled.
* This method saves user ID, username, other identity states and a validation key to cookie.
* These information are used to do authentication next time when user visits the application.
* @param integer $duration number of seconds that the user can remain in logged-in status. Defaults to 0, meaning login till the user closes the browser.
* @see restoreFromCookie
*/
protected function saveToCookie($duration)
{
$app=Yii::app();
$cookie=$this->createIdentityCookie($this->getStateKeyPrefix());
$cookie->expire=time()+$duration;
$data=array(
$this->getId(),
$this->getName(),
$duration,
$this->saveIdentityStates(),
);
$cookie->value=$app->getSecurityManager()->hashData(base64_encode(serialize($data)));
$app->getRequest()->getCookies()->add($cookie->name,$cookie);
}
}
this code is copy from the framework CWebUser class - I just add a base64_encode and base64_decode to these 3 lines:
<?php
class EWebUser extends CWebUser
{
protected function restoreFromCookie()
{
....
$data=@unserialize(base64_decode($data));
^^
....
}
protected function renewCookie()
{
....
$data=@unserialize(base64_decode($data));
^^
....
}
protected function saveToCookie($duration)
{
....
$cookie->value=$app->getSecurityManager()->hashData(base64_encode(serialize($data)));
^^
....
}
}
and change the user component class to the EWebUser in the config: