Simple way to completely hide all url parameters

Hi, it would be great if there was a simple configuration option to completely hide everything in the URL in the browser except the site name.

Currently, it seems from reading alot of the posts people have to mess with frames, or, the web server (e.g rewrite rules) or AJAX if they want to hide all path and parameters in the URL. none of these solutions are really ideal.

Thanks for listening.

What is the purpose doing it?

First, do not want anyone to be able to guess at the url parameters and attempt to re-route themselves. -even if we protect the action methods with accessRules it is not desirable to have any part of the route information made available to casual users.

Second prevent, or make it harder to determine the architecture of the site and reverse engineer it.

Third some users/clients/competitors/employees should not even know about certain capabilities of the site, so do not want to give clues in the browser url bar.

Fourth, reduce unnecessary questions and concerns during training and support. - as an example:

one of my controllers is named pcase so the controller/action looks like this pcase/index . We had somebody actually tell us in a beta release that they could not proceed with training and using the system until they were comfortable in understanding what the word pcase meant, because they had never heard of this before and that is not how they do business ! This is disruptive to our sales process- so we want to limit confusion and wasting time having to explain to potential clients and users things that they should not have to care or worry about.

In summary, We want the users to focus on the application and not be distracted by what is in the URL bar of the browser.

Use the UrlManager ?

It’s very flexible.

[size=“3”]yeah, you can’t hide url, but you can encode like

and decode with UrlManager. You can encode uri for each user, so 2 different users will never have same uri, even same user won’t have the same uri next visit.

I have used such practice in the one of my projects, but only in member section, cos if you start using meaningless uri, it’s always bad for SEO.


Be a bit of a pain to create each link as such but you could use forms.

Would be transparent to the user and doesn’t add anything to the url.

Anyway, that is a very specific task and I think it should not be in yii2 core.

Yea I don’t quite get this. Hiding url’s is bad for SEO and userbility, how are users meant to bookmark a page? If its sensitive data then submit it via post and any ID’s should be linked to permissions to the user if its sensitive and you should check those beforehand. Also the end of the day apart from the url encoding method if people really want they can always get around whatever methods you implement as http is a public protocol. As for the pcase scenario… name your controllers better and fire the userbility guy for being facetious?

Also if you can’t be happy with having accessRules to stop people from visiting parts of your site then the bigger issues is the way you build your sites. You should have full confidence in you’re security measures and having the route displayed even if they can’t visit it shouldn’t be an issue. Also your accessRules will redirect the user back to a login page if they don’t have permission so they would have known the route to get there in the first place or won’t be able to find it?

I think relying on the tools you have and not worrying about urls would be a better approach, both for your web applications and sanity.

You could use https, and/or put a session identifier in the url.

That session_id will time out. And thus it becomes very difficult to get at the sensitive data for third-parties.

Like auto-timeout activation urls.

HTTP POST driven?

I too would like this feature.

Please forgive my rudeness but I have been trawling for months for information on yii but I totally disagree with one or two line responses that say "this should be easy - just look here…". If things are so easy then share a little more and give an example or two.

I want this feature as well - I WOULD LOVE TO USE POST VARIABLES - but I do not want to create FORMS or use ajax calls, or create javascript bits just to pass a variable or two. Again, if this is easy to do then please share some examples.

If the UrlManager can do this, then please share some more details, we do I go, what files do I need to change, what should the controller function look like, what should I put into the view… I must be so stupid - the manuals are not that easy to read if you are a little old school. There is no one close to me to get help so the forum is it.

Sorry for the rant but if you post something as a response then please please please make it helpful.


There are two ways of doing a POST request from a browser: HTML form and AJAX. There’s no other way that makes sense.

UrlManager can not do this.

If you want it bad you have to implement a one-page application that sends AJAX POST, gets response and replaces current content with what is received. That’s not how web applications are built most of the time. That’s why I said that it will not be included in the framework.