Difference between #6 and #7 of
Enhance security of cookie-based login

Changes

Title unchanged

Enhance security of cookie-based login

Category unchanged

How-tos

Yii version unchanged

Tags unchanged

login, cookie, security

Content changed

[...]
// Generate a login token and save it in the DB
$user->logintoken = sha1(uniqid(mt_rand(), true));
$user->save();

                 //the login token is saved as a state
$this->setState(self::LOGIN_TOKEN, $user->logintoken);
[...]
There is a great library for generating random numbers and strings created by Anthony Ferrara that you could use: [RandomLib](https://github.com/ircmaxell/RandomLib).

In my configuration file, in the params section I have a `rememberMeTime` key holding the time a user may be cookie-logged, in seconds.
 
 
###The WebUser component

Then we are going to extend the CWebUser component to check if the cookie value matches the DB in the beforeLogin method.
[...]
$cookieLogintoken = $states[UserIdentity::LOGIN_TOKEN];
if(isset($cookieLoginToken, $user)
                   && $cookieLoginToken == $user->logintoken) {      return true; } return false; } } ```
2 0
2 followers
Viewed: 18 233 times
Version: 1.1
Category: How-tos
Tags: cookie, login, security
Written by: darkheir
Last updated by: darkheir
Created on: Aug 4, 2014
Last updated: 10 years ago
Update Article
Revert to #6 | Revert to #7

Revisions

View all history