Trying to understand password validation during login from database

Hi folks,

I’ve been trying to get a complete understanding of the Yii2 login system but I seem to be lost when it comes to understanding where the password is validated.

The sequence I have so far: -

SiteController::login() loads the LoginForm model, loads it and calls LoginForm::Login(). LoginForm::Login() then validates the model properties and calls: -

Yii::$app->user->login($this->getUser(), $this->rememberMe ? 3600*24*30 : 0);

With $app->user->login being \web\User::Login() and $this->getUser() returning an instance of \app\models\User (instance of ActiveRecord and Indentity Interface) with the getUser function returned by the following: -

return static::findOne(['username' => $username, 'status' => self::STATUS_ACTIVE]);

This obviously matches the username but not the password and I can’t see anywhere in \web\User::Login() where the password in validated, as it only contains the following code: -

public function login(IdentityInterface $identity, $duration = 0)


    if ($this->beforeLogin($identity, false, $duration)) {

        $this->switchIdentity($identity, $duration);

        $id = $identity->getId();

        $ip = Yii::$app->getRequest()->getUserIP();

        if ($this->enableSession) {

            $log = "User '$id' logged in from $ip with duration $duration.";

        } else {

            $log = "User '$id' logged in from $ip. Session not enabled.";


        Yii::info($log, __METHOD__);

        $this->afterLogin($identity, false, $duration);


    return !$this->getIsGuest();


Can anyone possibly enlighten me?



Anybody? Please? :)

Do you have a User model?

That is usually the place where the password is retrieved and validated.

However, that depends on your application…

yii2/base/Security -> validatePassword

Thanks for your response.

Yes, I have a User table and model. It is actually a Yii2 basic app but the DB login functionality was copied directly over the from the Yii2 Advanced app.

So this…

return static::findOne(['username' => $username, 'status' => self::STATUS_ACTIVE]);

Is returning an instance of the User model, but is only using username in the search criteria. Obviously, I could understand if it was querying using the username and a hash of the password entered in the Loginform, but it isn’t.

So it retrieves the record from the DB (which contains all fields, including the stored password hash) based on the username and this as a parameter to \web\User::Login(), which I understand is responsible for actually logging the user in, but I can’t see where the password comparison actually takes place?

Where about in the process described in my first post does this take place? I am sure I am being dumb here but I cant see it anywhere.

The loginForm model does that :)

	public function login()


    	if ($this->validate()) {

        	return Yii::$app->user->login($this->getUser(), $this->rememberMe ? 3600 * 24 * 30 : 0);

    	} else {

        	return false;



Don’t worry too much - to be honest, I am confused sometimes too. Especially when dealing with User (model), User (identity) and the security component(s).

You are sent back and forth so many times that you feel like you are visiting the Microsoft website…

Yeah, it was like watching tennis.

So, the validate function you pointed to above is the Model::validate() function…

    public function validate($attributeNames = null, $clearErrors = true)


        if ($clearErrors) {



        if (!$this->beforeValidate()) {

            return false;


        $scenarios = $this->scenarios();

        $scenario = $this->getScenario();

        if (!isset($scenarios[$scenario])) {

            throw new InvalidParamException("Unknown scenario: $scenario");


        if ($attributeNames === null) {

            $attributeNames = $this->activeAttributes();


        foreach ($this->getActiveValidators() as $validator) {

            $validator->validateAttributes($this, $attributeNames);



        return !$this->hasErrors();


But I can’t see where that is comparing passwords?


     * @return array the validation rules.


    public function rules()


        return [

            // username and password are both required

            [['username', 'password'], 'required'],

            // rememberMe must be a boolean value

            ['rememberMe', 'boolean'],

            // password is validated by validatePassword()

            ['password', 'validatePassword'],




     * Validates the password.

     * This method serves as the inline validation for password.


     * @param string $attribute the attribute currently being validated

     * @param array $params the additional name-value pairs given in the rule


    public function validatePassword($attribute, $params)


        if (!$this->hasErrors()) {

            $user = $this->getUser();

            if (!$user || !$user->validatePassword($this->password)) {

                $this->addError($attribute, 'Incorrect username or password.');




So the validate() function tell the LoginForm to get the instance of the User from the DB from the username provided then calls validatePassword() to compare the password retrieved in that User model instance to the one held in the form (entered by the user during the login attempt).


As simple and confusing as that!

Thank you for your help, Sir :)

Well done, Sir ;)

Hi I got a Yii app, System Admin password forgotten, I need to reset it so that I can be able to help other users to reset theirs,
Is there a way to reset that in the DB from PHPmyAdmin?
also I have a field to validate the password in the dB, it’s called spice, surely salt hashed, any idea how I can proceed?

Any help will be welcome

Hi @dredarsenic,

Usually there’s no way to retrieve the password from the DB table, since it holds only the hashes of the passwords. So PhpMyAdmin will not be a solution.

Probably there’s already an action that let the users change their own passwords but it requires the user to be logged in beforehand. Now what you need is a one-time action that will set the new password for the system admin, without questioning whether you are logged in or not. Once the password is reset, you can delete the action.

If you don’t have access to the source code of the site, well, I don’t know what to do.

Hi @softark

Thanks for your response.
Actually, it’s a system I just found and manage now, it was built by some other developers, I have access to the source code but don’t really know from where to start

But I will try to dig dipper and see if I can figure out what to do.

Thanks again!