Enhance the security of cookie-based login

[Darkheir]

In the yii guide we can find the following about cookie login:

In addition, for any serious Web applications, we recommend using the following strategy to enhance the security of cookie-based login.

When a user successfully logs in by filling out a login form, we generate and store a random key in both the cookie state and in persistent storage on server side (e.g. database). Upon a subsequent request, when the user authentication is being done via the cookie information, we compare the two copies of this random key and ensure a match before logging in the user. If the user logs in via the login form again, the key needs to be re-generated. By using the above strategy, we eliminate the possibility that a user may re-use an old state cookie which may contain outdated state information.

To implement the above strategy, we need to override the following two methods:

• CUserIdentity::authenticate(): this is where the real authentication is performed. If the user is authenticated, we should re-generate a new random key, and store it in the database as well as in the identity states via CBaseUserIdentity::setState.
• CWebUser::beforeLogin(): this is called when a user is being logged in. We should check if the key obtained from the state cookie is the same as the one from the database.

Do you plan to implements it in yii-account ?

[crisu83]

@hugovk, @ericnishio will we be doing this at some point?

[hugovk]

Closing and archiving repo.