Authentication & Web Service


I wondered if anyone could suggest the best way to go about providing a web service which shares the same authentication process as the web site (sharing the same webapp).

Basically I have a Controller which uses a UserIdentity to authenticate and authorize, and I was hoping to extend this class to provide similar actions (services) for SOAP users.

So the first “service” I guess would be to Login, and I assume I would somehow need to return a session id in the (successful) response. I’m not sure how I would use the session id along with the UserIdentity class to authenticate each time the user makes a service req…

All this stuff is done automatically with browser-webapp communication using cookie data, I’m not sure if I am making a mistake in trying to use this stateless architecture in such a way, if it is not advised then the user could simply supply login data with each req.


Does anyone know if this is even possible?

I have seen services online which use the method of returning a SESSION_ID after authentication. I think it is possible with PHP but I don’t know how to incorporate this into the work I am doing with this framework.


I did some testing…

  $client = new SoapClient('http://somehost/index.php?r=item/itemsWS');

  $status = $client->login('demo', 'demo');

  if ($status)


    $data = $client->getCurrentItems();




    echo 'Not logged in<br>';

You have to add a CookieContainer if you use a .NET client.

Whether best practice or not, I can’t tell.


It seems like my web service tests no longer run.

(It was a long time since I previously tried it out.)

Might also be related to this issue


It turns out the problem was related to recent entry script hiding and path format url’s.


I am still trying to achieve this. But I have some new hope.

My client is now able to get the PHPSESSID from the response and the SOAP server code is set up to login (as usual) using UserIdentity etc.

But, for some reason, the logged in session is not maintained when the client makes its next request.

(Even though it is passing in the PHPSESSID as a cookie).

I don’t know what else the yiiframework (or maybe PHP?) needs to authenticate and restore the logged in session.

Has anyone ran into this?

Edit: I will create a new thread for this question…

I am facing same issue. Token based authentication or cookie based authentication doesn’t work anymore. I have to pass username and password in each request for handling all protected actions.

Did you find any solution?