CompositeAuth and session/cookies based auth

trying to find best way to realize next API behavior:
API (REST) is located on different subdomain and have method /post triggered by Javascript for posting messages.
The idea to have one entry point for Web and REST api in way:

  • If there are cookies/sessions available from main app login - use it
  • If not - try to validate using QueryParamAuth or HttpHeaderAuth.
    Currently I stuck with implementing - how to check whether user authenticated by frontednd (using session) utilizing CompositeAuth behavior

Any ideas ?

— Updates:

for those who struggle with same issue - here is simple dummy workaround:

 $behaviors['authenticator'] = [
    'class' => CompositeAuth::className(),
    'authMethods' => [

and class itslef:

namespace common\helpers;

class SessionAuth extends \yii\filters\auth\AuthMethod
    public function authenticate($user, $request, $response)
        $identity = $user->getIdentity();

        if ($identity === null) {
        return $identity;