Revision #7 has been created by darkheir on Sep 2, 2014, 4:48:31 PM with the memo:
Code formatting
« previous (#6)
Changes
Title
unchanged
Enhance security of cookie-based login
Category
unchanged
How-tos
Yii version
unchanged
Tags
unchanged
login, cookie, security
Content
changed
[...]
// Generate a login token and save it in the DB
$user->logintoken = sha1(uniqid(mt_rand(), true));
$user->save();
//the login token is saved as a state
$this->setState(self::LOGIN_TOKEN, $user->logintoken);[...]
There is a great library for generating random numbers and strings created by Anthony Ferrara that you could use: [RandomLib](https://github.com/ircmaxell/RandomLib).
In my configuration file, in the params section I have a `rememberMeTime` key holding the time a user may be cookie-logged, in seconds.
###The WebUser component
Then we are going to extend the CWebUser component to check if the cookie value matches the DB in the beforeLogin method.[...]
$cookieLogintoken = $states[UserIdentity::LOGIN_TOKEN];
if(isset($cookieLoginToken, $user)
&& $cookieLoginToken == $user->logintoken) {
return true;
}
return false;
}
}
```