Lithium all rows in cookies, session

Question

目前登录后锂会在会话和cookie中存储所有来自用户表的行，如密码，哈希等。如何删除（不允许存储）密码和哈希等一些信息？

Answer 1

The Session class stores what you tell it to! After Auth::check is done, you should only store the session identifier and/or absolutely necessary data in the cookie. Also make sure to use the Encryption provided by lithium (AES) out of the box.

For more detailed help, please post your login controller and all appropriate model/filters.

Answer 2

Since this commit you can pass an option 'persist' => array('field1','..') to Auth::check , or set them as default in your bootstrap session config, to store only specified fields.

So either you set this in your bootstrap/session.php

Auth::config(array(
    'user' => array(
        'adapter' => 'Form',
        'session' => array(
            'persist' => array('_id','username')
        ),
        'model' => 'Users'
    )
));

or you define the fields, when calling Auth::check() - this will override everything from the config above!

Auth::check('user', $this->request, array(
                'persist' => array('username','email')
            ))

Note: If not defined explicitly the password is never stored by default.

Answer 3

Passing options to Auth::check will get passed down to the adapter as well ( plus some extras ) -- for this I'm assuming you're using the Form adapter for the Auth class.

Try doing this when you perform your check: Auth::check('config', $data, array('fields' => array('fields', 'you', 'want'))

The key here is that array we tacked on the end with the fields key in it, this will be passed down to the Form adapter which takes in those options and uses them to query your model for a matching user. By telling it explicitly which fields to return, it will only pass those back to the Auth class for storing away.