Custom login, using session data in the model?

First of all, I would like to say thank you to the developer(s) of this framework. It is terrific, however it is a steep learning curve for me, come from a vb/c# background, mostly webforms but started looking into MVC, some php hacks from time to time. I am not very skilled in object orientation but learning fast as I proceed with Yii 2.

My current project is a web application, I do have a customer database that is run on SQL server and most other software to manipulate and administer is written in VB. The customers have a small client where they can see status and book new requests.

I am moving the web based client over to Linux and creating the new client in YII/php. Security is a concern and my approach is to create a custom login (using $query) and setting session variables when customer is authenticated. Was thinking about implementing security by rules in the model (if doable).

So far I have a working "client" and most all necessary functions and data manipulations finished and tested. It is all done by modifying the default crud controllers and the models. My next task is the customer login and securing that a customer only get hold of his records and can manipulate only the data that is "open" for manipulation (through data validation).

Was planning on using the session variables to control most of what is possible to do for the logged in customer. Would this be against "best practices", i.e. should I start building this with the identity interface instead and use its functionality?

Sorry if my question(s) is too generic, I only used the framework for a week (I must say that it was a very productive week). :)