Yii always starts a session when I touch CWebUser
I am developing a RESTful API server that requires a valid session for some of its API methods specified as a cookie with a session ID.
I am using Yii v1.1.15 with a PHP session handler (maybe "files").
The thing is, every time CWebUser is called, it creates a session and I don't want that. The session should only exist when I explicitly create it, which means login (or register that automatically registers users). For example, if in a certain API method I check if the user is a guest using a construct that includes:
Yii::app()->user->isGuest
it automatically creates a session as this code is set in CWebUser.init ().
Now I am in no hurry to change CWebUser (actually, to change this in an already expanding class, which changed it a bit, in other aspects), as I am afraid it will have an unintended impact on the system.
Can anyone enlighten me on this?
What would you do?
Thank!
Environment:
// Yii v1.1.15
// session component configuration: (but believe me, I've tried every
// combination - its not really related. Check CWebUser.init()...)
'session' => array(
'class' => 'CHttpSession',
'autoStart' => false,
'sessionName' => 'MY_COOKIE_NAME',
'cookieMode' => 'allow',
'cookieParams' => ['lifetime' => 1000],
'gcProbability' => 33,
'timeout' => 1000,
'savePath' => '/tmp/',
),
// Web User _allowAutoLogin_ is set on 'false'
source to share
So you need to check if the user is logged in (this is why you are using isGuest
), but you don't want to use a session?
The method isGuest
uses a session variable to check if the user is logged in. The session is opened on creation CWebUser
. (in a method init
as you said.) isGuest
is part of the class CWebUser
. If you want to call this method, it will always create a session. Unless you overwrite it.
I think you can go in two ways:
- Open a session, check if the user is logged in (
isGuest
), and then close it only if the user is not logged in. You will need to overwrite the methodisGuest
. Overwrite any other methods to open the session when you need it. (Login / Register) - Let the client send its login details on every request, so you don't need to validate the session, and therefore don't need to open it.
In both cases, you will need to overwrite CWebUser.init()
it so that it does not open a session whenever it is created CWebUser
.
source to share
Thus, it was mainly the need for the following set of requirements:
- Yii will be used (also) as a RESTful API server.
- The RESTful server will only establish a session after a successful login .
- The above last point means that the cookie for guest users does not exist, but only exists for the session of the authenticated user.
Benefits of the above? basically "free" management of login sessions with PHP session, including timeouts, garbage collection, etc.
Despite the initial appeal of this project, the disadvantage overcame the advantages:
- Indeed, isGuest is a CWebUser property, which when tested already implies the session generated for the request.
- While trying to change the behavior described above, a lot of problems and mistakes appeared, and god knows what was lurking ahead. In fact, trying to change this behavior in Yii v1.1.x was too problematic, since many of the built-in functions and behavior (in an abstract meaning ...) of Yii-based applications implicitly use the established session.
So, I went back to the following design:
- Yii session management has been returned to the warehouse - yes please! open a session for everything that happens! (just do it well as usual).
- The RESTful server sends an explicit session token on successful logins.
- The client must store this token and send it explicitly using each API method that requires an authenticated session.
- The server side stores the session token in a "freely managed" (PHP) session and thus can validate every single request that the token for the user with that PHP session is indeed his, and indeed.
source to share