Creating a user with encrypted password (bcrypt)

Hi, I am completely new to Yii but I have made some custom PHP applications from scratch in the past which could be classified as amateur work.

I am in need of creating a site with a few forms. The idea is that in order to see the forms, users first have to log in. The signup must be disabled for anyone but administrators of the site. Administrators are the only ones who create the usernames and say a default password. Users must be able to change their password and other optional user information after they log in to the site.

From what I understand in the tutorial, bcrypt() is the way to go. But there are few issues I do not understand yet, and wonder if you could point me in the right direction based on these facts I need to keep in mind:

  • sitename/web/index.php

This is where I shall display the login form. After the login, I will make a controller that defaults to a specific form, independent if the user is Administrator or not.

  • Administrators

How do I create the first administrator (myself) with an encrypted password? Do I need to write the whole signup & login functionality to do this, and then to modify/remove the signup function after the first account is made? Is there a best practice on how to create a user/password table?

  • Users

How to distinguish users from administrators? Maybe this could be done in the user/password table with an extra column that defines the user level? Again, any best practice here?

  • Session handling

I need to make sure that there are no vulnerabilities here. I have witnessed cookie spoofing before and that is not fun. So, I need to make sure that users can navigate between 2-3 forms and the "settings/configuration" page where they administrate their account information and change password. Will Yii allow me to do this based on the content of the tutorial? I have not yet completed this part.

I appreciate all answers and guidelines you can come with. Thank you in advance!

Sounds decent to me for a semi-closed web app. I adopted the same design for a web app used in a local network of a company.

Yes. But you don’t have to worry about the detail of it. Usually you only have to use yii\base\Security\generatePasswordHash() and yii\base\Security\validatePassword(), and that’s all.

"Migrations" should be the way to go. Create your user table and insert the very first row for the administrator using migrations.

Make sure to use migrations when you create/modify your database tables. It helps you a lot to keep your application maintainable.

Yes, it’s OK.

Please look at the "Security" sections of the guide, especially "Authentication" and "Authorization" for more information when you want to assign appropriate rights to "admins" and "users".

And read the following section for Sessions and Cookies.

Thank you for your answer. I followed your advice and got it working good.