How to Block Access to pages after logout.


So I will have a few public pages and many private pages on my website.

After a user has successfully logged-on, I will store a few sessions variables and give him a new menu with access to the private pages. After logging out, the user’s session will be destroyed and the menu will change back to the default. Now the user must not be able to access any private pages, not even by typing the url. The only way to get back to private pages must be to logon again.

I know I can check on each and every page if the session is not set, redirect to home page.

Is there any better way to do this?

I might end up with 60 private pages and don’t really want to go and validate session data on each page.


You must define an access rule in you controller, like the following.

	public function behaviors() {

    	return [

        	'access' => [

            	'class' => AccessControl::className(),

            	'rules' => [


                    	'actions' => ['update', 'delete', 'insert'],

                    	'allow' => true,

                    	'roles' => ['@'],






‘roles’ => [’@’] means authenticated user

‘allow’ => true, allow the access

Assuming the standard action of a controller, the ‘index’ (is not on the list) can be called by all (even not authenticated) but ‘update’, ‘delete’, ‘insert’ only by authenticated one.

Refer to the docs for further information:


If you need more control over user action (which user is authorized to do what => Authorization) you need to look for RBAC.


Thank you, I will have a look at it.