Yii 2 Authentication Dsicussion

Hi everybody ,I’m here to discuss with you the approach in Yii2 authentication which i can list in 2 items:-

1- check the identity through session

2- if not check the identity through cookie and if present populate the identity

of course if the conditions are fulfilled such as enableCookieLogin …etc

I have some question concerning the concept of authentication:-

1- what if i want to logout someone when cookies is enabled ?

2- expiry time can be edited with ease in cookie isn’t ?

3- any considerations to use the secure cookie protocol ?

I am not sure about your concern with these questions.

I believe

that’s what Yii authentication component does by default, no?

  1. You are logging him out. Even if the cookie stays on his computer he has to re-login, since his cookie is no more valid.

  2. You can set the expired time. But don’t fully rely on this - browser may not obey your cookie commands, or cookies may be faked.

  3. Doesn’t that parameter do this?

I suggest you re-read authorization section in the manual.

thanks tebazil for reply, ok can you explain to me in code how to logout someone you want to ?

Here is what I find out:

You need to

  1. refresh user auth key and change his password/ban him if you have such ability, so that he won’t be able to relogin by cookie alone, if you use cookie auth, or login any other way

  2. delete all sessions of that user from the database, assuming you use database sessions. If you don’t use database sessions - lookup google, ways may vary on how to do this.

Did you read the guide?it explains it well with examples