Should I use https on the advanged template for the login page?
and if so whats the best way to do it.
Should I use https on the advanged template for the login page?
and if so whats the best way to do it.
Login page and everything behind a login should always be under https, http clear communication is easily intercepted by any novice hacker.
Also the fronted if a login is require should be under https!
https is something you must configure in you webserver, it is not on yii side.
On apache2 and https virtualhost for backend is like the following one (you must adapt it to you server configuration).
<VirtualHost *:443>
ServerName www.yoursite.com
DocumentRoot /var/www/www.yoursite.com/backend
SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
SSLCertificateKeyFile /path/to/www_yoursite_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</Virtual Host>
To use https/ssl you need a certificate, a real one released by an authority or an auto generated one.
To see how to do it search on gogole there are plenty of resources.
Thx Roberto,
The certificate is working.
next question is how to enable all pages to require a login and a force to https.
But no https for all pages, some of then must be http.
If I understand you need all pages (except login to require authentication) but not all of them under https.
So precede with order, I’ll answer to the authentication one since the second one is a bit more tricky and I need to think about it.
[size="4"][font="Arial Black"]1) require authentication[/font][/size]
In your controllers you must specify the following behaviors()
public function behaviors() {
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['@'],
],
],
],
];
}
the parts that interest you is ‘access’
The above access rule says that access to the whole controller is granted ‘allow’ => true, only to authenticated user ‘roles’ => [’@’].
If you want to specify specific action like index, delete update… add ‘actions’, something like the following.
public function behaviors() {
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['update', 'delete', 'insert'],
'allow' => true,
'roles' => ['@'],
],
],
],
];
}
Assuming the standard action of a controller, the ‘index’ (is not on the list) can be called by all (even not authenticated) but ‘update’, ‘delete’, ‘insert’ only by authenticated one.
Refer to the docs for further information:
http://www.yiiframework.com/doc-2.0/guide-structure-filters.html#filters
http://www.yiiframework.com/doc-2.0/guide-structure-filters.html#accesscontrol
If you need more control over user action (which user is authorized to do what => Authorization) you need to look for RBAC.
http://www.yiiframework.com/doc-2.0/guide-security-authorization.html
this page explain a bit more also on AccessControl
Tanks again Roberto,
This helps me a lot.
the only thing wich bothers me is how to force certain pages to https.
I know how to do this with .htaccess file for all pages.
But I like to do it in yii2 for certain pages.
So here we come to pint 2.
[font="Arial Black"]2) force https only for some pages[/font]
To do so you should use getIsSecureConnection() in your controller action
yii\web\Request::getIsSecureConnection()
http://www.yiiframework.com/doc-2.0/yii-web-request.html#getIsSecureConnection()-detail
or better use it by configuring a pre-filter for some action
http://www.yiiframework.com/doc-2.0/guide-structure-filters.html
with a prefilter you have the redirect code in one place in the controller so is easier to maintain and configure