the auth_key of yii2 is'nt interference in cookie base

I have problem with auth_key , I have login form and it’s work correctly without remember me and with remember me , but I read yii document , in that document wrote about remember me work with id and auth_key for create cookie to stay user in long time , i check the framework code and in there have three parameters (id, auth_key, expire_time()) i save auth_key in user table and it’s code here

public function generateAuthKey()


    $this->auth_key = Yii::$app->security->generateRandomString();


public function validateAuthKey($authKey)


    return $this->getAuthKey() === $authKey;


public function getAuthKey()


    return $this->auth_key;


but i have problem , it’s if a user login in site and i go to the user table and change the auth_key field , and now if user refresh the page it must be throw out the site because it’s auth key is changed , but the user stay login in site , where is problem ?

authentication consists of two checks:

  1. session - if data is in session, log user in via userId

  2. cookie - if session fails, log user in via userId while also checking auth_key

so you’re getting logged in through the session. if you delete your phpsessd cookie then you’ll get logged out properly

I want to terminate user that login using one username , I save session in mongodb and delete session and change auth_key in mysql user table , and that user throw site out.But have problem , when I change auth key all those users who checked remember me , throw site logged out , I store auth_key in session db mongodb to have auth_key per each user ,and id change getAuthKey in model user to get from mongodb but I have problem is every time I refresh page the auth key is changed.

The following is my code .When I remove session record from mongodb , and refresh page the user still login and create new record for user in mongodb this is my code:

'session' => [

'class' => 'yii\mongodb\Session',

'writeCallback' => function($session)


  return [

          'user_id' => Yii::$app->user->id,

          'agent' => Yii::$app->request->getUserAgent(),

          'ip' => Yii::$app->request->getUserIP(),

          'auth_key' => Yii::$app->security->generateRandomString(),




public function getAuthKey()



$query = new Query();



    ->where(['id'=> Yii::$app->session->id ]);

$row = $query->one();

return $row['auth_key'];


what can I do to avoid this problem ?