[SOLVED] How to verify users from different sites of the same code base?

I am developing a multi-site that share the same code base. These multi-sites will have user logon modules for its respective site. All codes and tables are differentiated by a SITE_ID.

However, after I login from Site A (as a Site A user), when I open a new tab and access Site B, it shows I am logged in as well. (But I am not a Site B user!)

My user login (below) is based on the sample Yii code with some modification to check the siteId of the user. But where do I verify if the user belongs to the site each time the page loads?

I suspect it has to do with AccessControlFilter but I don’t know how to write the codes and parse it around. Appreciate some help with sample codes.

	public function authenticate() {

		$criteria = new CDbCriteria;

		$criteria->condition = 'username=:username';

		$criteria->params['username'] = $this->username;


  	$record = User::model()->find($criteria);

 		if ($record === null) {

			$this->errorCode = self::ERROR_USERNAME_INVALID;

    } elseif ($record->Password !== $this->password) {

			$this->errorCode = self::ERROR_PASSWORD_INVALID;

    } elseif ($record->SiteId !== Yii::app()->session['siteId']) {

			$this->errorCode = self::ERROR_USERNAME_NOT_IN_SITE;

		} else {


		...ok to login





can somebody help? I think it should be easy but I overwhelmed with Yii greatness…

Please help…

After what you’ve described, i believe the problem resides in the login cookie being set after the login process, but i need more info.

Do you use the auto-login feature ?

How do you divide your websites ? different domains or same domain but different sub-domains ?

Basically, the problem is that the cookie you set after login is available for site A and for site B and this is the thing you need to avoid by manually set the cookie params of the cookie depending on the domain the user signs-in on .

I am not sure what you mean by auto-login. This is how the user is logged on

User Model

	public function authenticatePass($attribute,$params) {


		if (!$this->hasErrors()) { // we only want to authenticate when no input errors

			$identity = new UserIdentity($this->Username, $this->Password);



			switch ($identity->errorCode) {

				case UserIdentity::ERROR_NONE:

					$duration = $this->RememberMe ? 3600*24*30 : 0; // 30 days


					Yii::app()->user->login($identity, $duration);



The websites are divided by different folders in the server and access by different domain names from the browser. I wouldn’t know if accessing from different domains will not give this problem because nothing is live yet.

The problem now exist in my development machine where Site A and B are accessed from the same http://localhost/ like this :



Accessing from either one above will store its respective siteId constant into Yii::app()->session[‘sid’]

To be sure, even if this is caused by a cookie issue, I need to code it to specifically check if the user (his siteId) equals to Yii::app()->session[‘sid’] each time the page is loaded.

How do I do this?

I just check the config.php



			// enable cookie-based authentication



when you open new TAB (without closing browser) on coming from A -> to B it looks like user is seen as logged already in - from what you have described. This is issue of bad design/architecture for your sites.

Since you are not describing in detail domains (this is crucial to see how cookies will work) I think you may use following generic solution:

In entry point for each site controller, you should generate unique session key specific for each site only. Then you would have uniqueA, uniqueB and uniqueC keys. Then in entry point for each controller on each site (normally UserController::actionIndex() ) you should check if current user has such a unique ID in session specific for your site only. If not, then treat user as anonymous and request login credentials.



You don’t need any kind of extra checks.

In your case, as i assumed the problem relies in the cookie params, that’s because siteA and siteB set the cookie for localhost (but when you will use different domain names, this problem will not occur, so you are safe to assume that no extra check is required) therefore the cookie can be accessed by both sites.

Thanks twisted for the assurance. and lubosdz, great idea! I might do this to ensure it works on both localhost and live domains…

how to edit the topic title to add [SOLVED]?? all edit only for the "post"