Endless Redirect At Login


we use the feature "accessRules" for actions to decide, if an user is allowed to see content or not.

If an user tries to get an action (for example actionSendMail) which is only accessible for users which are logged in, so the rule calls the login-procedure. The login procedure tries to login the user, set the username and isGuest flag to true or false and redirects the user back to the action where he was coming from (in this example actionSendMail)

This works well, as long the user can be logged in. But if the login in is not successful, the login procedure set the isGuest flag and redirects back to the action where the users comes from (in this example actionSendMail), which is okay. In this case, the action knows, that the user need to be logged in for that action an starts the login procedure again, which results in endless logins tries.

So my question is: is there a way to avoid an 2nd login, if the first fails? Maybe there is an option I can set at the accessRules array?

Thank you.

can you post the code?

Which one? The code for the accessRules or the login procedure ?

Both accessRules and login action

Why would you redirect the user back to the original page after a failed login attempt? Shouldn’t he stay on the login form to correct his credentials and try again?

Redirect him back only after successful login.

i think you should have to use some handle action where you can send user after failed login.Till that time hold the return url in session then send him again on return url if Login is successful.

So, basically you need to change your approach here.else you are going to face this problem for long time.

And also please dont forget to unset your session variable where you are keeping your return url. Otherwise its going to be big prob for you. ;)

There is no "login form". The user will be logged in by browser certificate…

…and will be returned to the original page to use this page/application as guest with an degraded set of functions.

You could specify your own ‘deniedCallback’ property in accessRules. By default it calls this method:

protected function accessDenied($user,$message)





        throw new CHttpException(403,$message);


You’d have to use some property to indicate that a user is a guest BUT he already attempted logging in. Like a three state value in isGuest instead of just boolean true/false.


You have got the solution! :slight_smile: Thank you!!