Security : Ajax action, how to control user identity ?


I’m bulding a website with a “Favourite item” function. It’s a simple button the user pushes to store the item in his favourites ones. So, it works with ajax.

I started to build my actions, and suddenly, I realised that anyone posting any user id and any item id to this action could add or remove favourites from any user… :mellow:

So of course, I though that I had to generate a form with a model, so I do for regular forms, but submitting in ajax.Until now, I never worried about this kind of problems, and when submiting a form I checked the user identity inside the controler, or thanks to the RBAC functions. But then, I realized I just don’t know or understand how yii2 is checking user identity from posted forms… I just trust Yii2.

So I had a look to the generated HTML, and seen that the forms add an hidden _csrf token field. Is this what is used to check user identity from a posted form ?

[b]How would you do yourself to generate an ajax form containing the necessary informations to check the user identity on the server ?


thanks for enlighten me on this subject.

identity is stored in session. in yii it’s better to access it through \Yii::$app->user

connection between server and client is made via session id that is stored as cookie on client. server can serve session on different media - file, db, cache, webservice etc… by default webserver makes file for each session at some place (making possible for session spoofing :) )

unless you provide webservice for distributed apps, you do not need to put identity to check user as you have full access to session and make check on server side

csrf stands for cross side reference - xss attack

easiest way to add access check via behavior AccessControl in controller

class SiteController extends Controller


	public function behaviors()


		return [

			'access' =>	[

				'class' => AccessControl::className(),  <------------ THIS ONE

				'only' => ['login', 'logout', 'books'],

				'rules' => [


						'allow' => true,

						'actions' => ['login', 'books'],

						'roles' => ['?'] // guests



						'allow' => true,

						'actions' => ['logout', 'manage'], //TODO: rule author

						'roles' => ['@'] // users






	public function actionLogin() <--- DO YOUR STUFF

	{ . .. .

so the question is : are the session informations transmited to the server when doing an ajax call ?

I’m reading that :

github (I can’t post urls…) yiisoft/yii2/blob/master/docs/guide/

And it seems to me that when you’re using ajax actions on a yii2 site (wich is kind of RESTapi right ? ), you MUST implement “findIdentityByAccessToken”; right ?

If I undersand what I’m reading, I must add a token table to the user table, and then send this token by the ajax request, and then inside the controler get the identity of the user thanks this token. All the operation being secure if and only if HTTPs is used to encrypt the token.

Am I right ? Or is ther an easier way to check user identity from an ajax call ?

back to basics

AJAX call is nothing more than regular call from client behind scene (no page refresh). REST used for APIs as they utilize http headers as action description (gives clean urls)

session information IS NOT transmitted, only user’s session id is stored in cookie. that’s how user is recognised. if you don’t provide additional check

to make identity usage you must create your own class to handle it by comply with interface like below

namespace frontend\models;

class Users extends ActiveRecord implements IdentityInterface


and notify app about it via config

return [....

[components => [

		'user'=> [

			'identityClass' => 'frontend\models\Users',

			'enableAutoLogin' => true,

			'loginUrl' => ['site/index'],

			'enableSession' => true



ah !

thanks you very much for this back to the basic ! THat’s exactly what I needed.

I could have just make my own tries and test if it works… But I was anxious and I wanted to understand.

so, when doing an ajax call, the cookies with the session id is also transmitted : right ?

I’m using the advanced application, so I have yet the user interface in the common\models.

yes, all cookies are always sent. in chrome you can press F12 and track in Network what was sent and response.

yes, you are right about user interface in advanced application, it is already implemented

you’re welcome