the auth_key of yii2 is'nt interference in cookie base

Question

I have problem with auth_key , I have login form and it's work correctly without remember me and with remember me , but I read yii document , in that document wrote about remember me work with id and auth_key for create cookie to stay user in long time , i check the framework code and in there have three parameters (id, auth_key, expire_time()) i save auth_key in user table and it's code here

public function generateAuthKey()
{
    $this->auth_key = Yii::$app->security->generateRandomString();
}

public function validateAuthKey($authKey)
{
    return $this->getAuthKey() === $authKey;
}

public function getAuthKey()
{
    return $this->auth_key;
}

but i have problem , it's if a user login in site and i go to the user table and change the auth_key field , and now if user refresh the page it must be throw out the site because it's auth key is changed , but the user stay login in site , where is problem ?

score 1 · Accepted Answer · answered Apr 18 '17 at 07:32

1

The main use of auth_key is to authenticate the user by cookie (user don't have to put login data again). When you choose to be remembered at Login, this is how you are remembered. The system has to identify and login you somehow. It won't log out user if u change it.

answered Apr 18 '17 at 07:32

Yupik

4,932
1
12
26

in document said: getAuthKey(): it returns a key used to verify cookie-based login. The key is stored in the login cookie and will be later compared with the server-side version to make sure the login cookie is valid. validateAuthKey(): it implements the logic for verifying the cookie-based login key. – mohammad zahedi Apr 18 '17 at 07:41
how can i access to auth_key , i want to terminate user session , if user checked remember me it,s created cookie "_identity" and i want to change auth_key to user after refresh page throw out of panel – mohammad zahedi Apr 18 '17 at 07:43
Yeah, and that's what it does exacly. Cookie-based login allows user to 'autologin` without providing again login data when they are logged out. U can't terminate user session by this. – Yupik Apr 18 '17 at 07:45
okey , please help me , how can i terminate that kind of user , like telegram terminate session , is there any ways to do this? – mohammad zahedi Apr 18 '17 at 07:47
Try to use DB sessions: http://www.yiiframework.com/doc-2.0/yii-web-dbsession.html So U can operate on SQL queries. – Yupik Apr 18 '17 at 07:49
yes , i save sessions in mongodb , and it's work prefect with user than don't checked the remember me , and they are loged out after i remove their sessions but if user checked remember me i cant throw the user out form login because for cookie , after i deleted his session after refresh page , created new session for him – mohammad zahedi Apr 18 '17 at 07:51
So delete session AND change auth_key? – Yupik Apr 18 '17 at 07:53
i just delete session but, perhaps it's my problem , but in normal way i change auth_key in phpmyadmin for test and refresh page but user still stay in site – mohammad zahedi Apr 18 '17 at 07:55
U have to delete session and change auth_key in one action, not delete session, do something on web page, change auth_key, do something on web page. – Yupik Apr 18 '17 at 07:56
thank you , i will check this and , tell the news here – mohammad zahedi Apr 18 '17 at 07:59
thanks , i removed session and change auth key in user table and it's work correctly – mohammad zahedi Apr 18 '17 at 17:13
hi , i have another problem , that way work but when i remove auth key because auth_key is shared for all of user all of them removed , for this : in next comment: i save my session in mongodb session , for this problem i save auth_key in mogodb near session id but there is problem by every refresh page the auth_key is changed in mongo and when i deleted the session row for one user he is still login in site – mohammad zahedi Apr 22 '17 at 06:55
'session' => [ 'class' => 'yii\mongodb\Session', 'writeCallback' => function($session) { return [ 'user_id' => Yii::$app->user->id, 'agent' => Yii::$app->request->getUserAgent(), 'ip' => Yii::$app->request->getUserIP(), 'auth_key' => Yii::$app->security->generateRandomString(), ]; } ], i check my auth key like this public function getAuthKey() Yii::$app->session->open(); $query = new Query(); $query->select(['auth_key']) ->from('cache') ->where(['id'=> Yii::$app->session->id ]); $row = $query->one(); return $row['auth_key']; } – mohammad zahedi Apr 22 '17 at 06:58

score 0 · Answer 2 · answered Apr 19 '17 at 04:53

0

You can try to change the key yourself in the "ValidateAutney" method, but this will be a bad practice, it is better to set the session time.

answered Apr 19 '17 at 04:53

gud3

555
3
10

thanks I do it , i have save session in db with auth_key value and it solved – mohammad zahedi Apr 19 '17 at 07:56
excusme , could you check the comments of Yupik i have problem in 3 last comments – mohammad zahedi Apr 22 '17 at 06:59

score 0 · Answer 3 · answered Apr 22 '17 at 08:13

'session' => [
        'class' => 'yii\mongodb\Session',
        'writeCallback' => function($session)
        {
            return [
                'user_id' => Yii::$app->user->id,
                'agent' => Yii::$app->request->getUserAgent(),
                'ip' => Yii::$app->request->getUserIP(),
                'auth_key' => Yii::$app->security->generateRandomString(),
            ];
        }
    ],

    public function getAuthKey()
{

    Yii::$app->session->open();

    $query = new Query();

    $query->select(['auth_key'])
        ->from('cache')
        ->where(['id'=> Yii::$app->session->id ]);
    $row = $query->one();
    return $row['auth_key'];
}

the auth_key of yii2 is'nt interference in cookie base

3 Answers3