yii: security concerns regarding autologin, sessions and cookies

this post requires basic understanding about yii framework's authentication and authorization.

while researching about using php session variable to keep persistent data in a yii-based project, i came across this thread that discussed security implications, that when there are options to 'remember be' or 'keep me logged in' on login forms, any user information that to be saved in a session is set with CUserIdentity::setPersistentStates() and these information are clear text in cookies!

this is definitely undesirable when you want to store password information or any sensitive data.

the document has warned (in big green box) about this and advised that any sensitive data should not be made persistent.

what if, password must be stored? there may be many other authentication solutions. we'll just concentrate with this one in this post.

please note that i'm not proficient with yii framework and this is a solution that i came up with. it's appreciated any yii experts could point out anything not done correctly. thanks!

authentication and set user information

in /path/to/components/UserIdentity.php:

PHP:

	`class UserIdentity extends CUserIdentity {`
	`public function authenticate() {`
	`$user = User::model()->find_or_validate_user($this->username, $this->password);`
	`if ($user === null) {`
	`// user not found or validations fails`
	`// set error codes`
	`$this->errorCode = self::SOME_ERROR_CONSTANTS;`
	`}`
	`else {`
	`$this->errorCode = self::ERROR_NONE;`

	`// set data to be saved in session`
	`$this->setPersistentStates(array(`
	`'password' => $this->password,`
	`// set any other user data`
	`'some_data' => $user->some_data,`
	`));`
	`}`
	`return !$this->errorCode;`
	`}`
	`}`

password encryption

there are quite a few encryption methods. choose one that can be encrypted and decrypted. or write your own.

PHP:

class MyWebuser extends CWebuser {
    private $password_key = 'some_random_string';
    public function beforeLogin($id, &$states, $fromCookie) {
        $states[$this->password_key] = encryption_method($states['password']);
        unset($states['password']);
    }
    public function getSessionPassword() {
        return decryption_method($this->{$this->password_key});
    }
    
    /* optionally write your own methods here and name it to anything you like */
    private function encryption_method($string) {
        return some_encryption($string);
    }
    private function decryption_method($string) {
        return some_decryption($string);
    }
 
}

notes

line 2: define a random string as a key to store the encrypted password. you can write a private function to generate this random string.

line 3: remember to pass $states as reference so that the function can modify this data.

line 4 and 8: use encryption method of your choice. use some random string as key so that it's not obvious it's a password. or you can write your own method as in lines 12 to 17.

line 5: remove password altogether so that it will not be saved in session nor cookies.

get the password

PHP:

Yii::app()->user->getSessionPassword();

	`class MyWebuser extends CWebuser {`
	`private $password_key = 'some_random_string';`
	`public function beforeLogin($id, &$states, $fromCookie) {`
	`$states[$this->password_key] = encryption_method($states['password']);`
	`unset($states['password']);`
	`}`
	`public function getSessionPassword() {`
	`return decryption_method($this->{$this->password_key});`
	`}`

	`/* optionally write your own methods here and name it to anything you like */`
	`private function encryption_method($string) {`
	`return some_encryption($string);`
	`}`
	`private function decryption_method($string) {`
	`return some_decryption($string);`
	`}`

	`}`