3

My user authorization works fine without authKey. I don't get how should I use it. But it's somehow more secure to use it as it stands in documentation. I've implemented this methods in User ActiveRecord class.

public function generateAuthKey()
{
    $this->auth_key = Yii::$app->security->generateRandomString();
}

public function validateAuthKey($authKey)
{
    return $this->authKey === $authKey;
}

I even save it to user table on user creation. But I know that validateAuthKey is never used. I'm using sessions and only PHPSESSID sent to user. Do I have to set authKey cookie manually? What are the advantages of this? Why can't I authorize user just by PHPSESSID. It's already stored in session table. Session configuration: 

'session' => [
    'class' => 'yii\web\DbSession',
    'sessionTable' => 'session',
],
SO-user
  • 1,458
  • 2
  • 21
  • 43
user1561346
  • 502
  • 3
  • 13
  • 28

1 Answers1

2

There’s an answer already in Yii2: Why is the auth key in class User?

See the following source code (vendor\yiisoft\yii2\web\User.php):

protected function loginByCookie()
    {
        $value = Yii::$app->getRequest()->getCookies()->getValue($this->identityCookie['name']);
        if ($value === null) {
            return;
        }

        $data = json_decode($value, true);
        if (count($data) !== 3 || !isset($data[0], $data[1], $data[2])) {
            return;
        }

        list ($id, $authKey, $duration) = $data;
        /* @var $class IdentityInterface */
        $class = $this->identityClass;
        $identity = $class::findIdentity($id);
        if ($identity === null) {
            return;
        } elseif (!$identity instanceof IdentityInterface) {
            throw new InvalidValueException("$class::findIdentity() must return an object implementing IdentityInterface.");
        }

        if ($identity->validateAuthKey($authKey)) {
            if ($this->beforeLogin($identity, true, $duration)) {
                $this->switchIdentity($identity, $this->autoRenewCookie ? $duration : 0);
                $ip = Yii::$app->getRequest()->getUserIP();
                Yii::info("User '$id' logged in from $ip via cookie.", __METHOD__);
                $this->afterLogin($identity, true, $duration);
            }
        } else {
            Yii::warning("Invalid auth key attempted for user '$id': $authKey", __METHOD__);
        }
    }
Community
  • 1
  • 1
Rambo
  • 79
  • 5
  • 8
    You should include some explanation of how the code answers the question. If you think the answer to the other question answers here as well, you should flag this question for closure as duplicate of the other one, or do nothing if don’t have enough (15) rep to be able to flag yet. Posting answers to a dupe is frowned-upon here. – Palec Mar 14 '15 at 10:03
  • 1
    sorry about my post answer to a dupe behavior ,i am a novice, i just want to show how the yii2 work with auth_key – Rambo Mar 14 '15 at 17:27
  • 1
    It’s okay, everybody here had to learn how this community works. And we still learn. :-) That’s why I told you, what’s expected. If you want to show more than the original answer, you can post a better answer to the original question and still let the dupe be closed. – Palec Mar 14 '15 at 17:54