Having Trouble With Users Not Remaining Logged In

Noticed a small bug, but it’s really weird and I’m not sure how to track it down.

On my localhost, everything is fine.

On production server, I get logged out automatically after a few hours (unsure of exact timing).

There is no configuration difference between the two environments except for database and email.

Additionally, I still see that I have the proper _csrf and _identity cookies set. It just somehow fails to log me in after some time passes.

Any ideas?

Relevant info:

Ubuntu 13.04

PHP 5.4.9

nginx 1.2.6


Are you using "remember me" when logging in?

Yes, this is set. (It’s enabled by default)

I just checked it again after waking up - still logged in on localhost, logged out on production.

Edit - just hacked my user component on production to double check.

nano vendor/yiisoft/yii2/web/User.php


public function login($identity, $duration = 0) {

    var_dump($this->enableAutoLogin);echo $duration;exit;



// outputs "bool(true) 2592000" when I log in 

The "problem" should be in PHP garbage collection.

in localhost you are the only user and PHP session is not cleared out even if you access it 24h later just continued as you ask for the same session on page load. In shared environment PHP session timeout kicks in and you session will be cleared out.

OFC because you are using autologin the session should be automatically restarted and you logged in. Not sure why it’s not happening. You can test in localhost if the same happens. Just open the site in different browser after the PHP session timeout should kick in and then reload the page in main browser.

Ok, I figured out the issue. I’ve been following the yii2-app-basic template, but it never made it clear how to set the auth_key properly.

I assumed this was set by Yii automatically, but it looks it needs to be set directly in app\models\User (or whatever identity class you use).

Here’s the example in the advanced template saving the auth_key:

public function beforeSave($insert)


        if (parent::beforeSave($insert)) {

                if (($this->isNewRecord || $this->getScenario() === 'resetPassword') && !empty($this->password)) {

                        $this->password_hash = Security::generatePasswordHash($this->password);


                if ($this->isNewRecord) {

                        $this->auth_key = Security::generateRandomKey();


                return true;


        return false;


Here’s the basic template version which kind of just puts that directly into the “database”.

Perhaps a note should be added to make this more clear?

Edit: Yes, this is related to what Renka said. On localhost, session is never cleared so it never needs to call yii\web\User::loginByCookie(), which is where the autologin fails.

There’s a good description, I think https://github.com/yiisoft/yii2/blob/master/docs/guide/authentication.md#authentication If it’s not clear please suggest how to improve it.