Session Problem With Multiple Applications On One Domain

i have created 2 yii2 applications

composer create-project --prefer-dist --stability=dev yiisoft/yii2-app-basic basictest1


composer create-project --prefer-dist --stability=dev yiisoft/yii2-app-basic basictest2

opening 2 tabs



What happen is that after login (always tested with admin/admin) i get forwarded to site/login and get a Bad Request (#400)

if i have a "secured page" e.g. extending the sitecontroller that site/about is only for registered users

'access' => [

          'class' => AccessControl::className(),

          'only' => ['logout','about'],

          'rules' => [


                  'actions' => ['logout','about'],

                  'allow' => true,

                  'roles' => ['@'],




and i open again 2 tabs (or at least logout before so i get the login page)



i will get the login form. The return url should be for each tab the corresponding about page.

i have loaded the basictest1 web app first and opened the basictest2 as the second tab.

again i get a page with Bad Request (#400) on both.

ok back logout on both apps.

and visiting these 2 urls (load basictest 2 first then basictest1)



login on the basictest2 => get Bad Request (#400) => click "login" in the menue.

Login successfully "BUT" the page is then


instead of basictest2.

this is of course because the returnUrl is stored in the session which are the same.

In Yii 1 i could set the a unique stateKeyPrefix per app for the User


and Session

'sessionName' => 'uniquesessionname_per_app',

And each application has their own session and authentication.

In Yii2 i have to set the "path" in the configs like this, if i want to have more than one applikation to be running on the same domain.

'session' => [

      'cookieParams' => ['path'=>'/yii2/basictest1','httponly'=>1], // correct path for the basictest1 app.


Then i can login for one or the other app in the same domain.

But i still get a Bad Request (#400) when clicking logout in basictest1 if was also logined in the second app basictest2.

So i still have to set this settings in the config for each app to make everything work.

'user' => [

      'identityClass' => 'app\models\User',

      'enableAutoLogin' => true,

      'identityCookie' => [

          'name' => '_basictest1',

          'path'=>'/yii2/basictest1'  // correct path for the basictest1 app.



It is clear that this is only needed to configure in the development phase or in the case that multiple yii2 apps are running in the same domain.

I could setup individual vhosts to also solve this problem in the development phase.

I think it was “easier” to get this running in yii1 or is there some other way which i don’t know?

I had the hope that the ‘id’ in the config is enough to get the app some unique behaviour, but sadly this is not the case.

regards Horizons

No suggestions or comments which is the correct way?


I suppose you need to set the ‘identityCookie’ name as you have done for simultaneous app sessions from same host domain on the same client. This setting is only probably required if ‘enableAutoLogin’ property is set to true.

Just created a wiki for this. Let’s try to edit and improve upon that for the benefit of all.