Yii2 Login/Logout Authentication


I still don’t understand how the authentication works. I have an android app that needs to call my API and Login but Yii2 authentication method ask for the auth_key or token. I don’t have that information in the first login. Don’t I need to do something like:


Isn’t that the correct way to do it? If yes, how can I do that using the authenticator? How do I get the token back or how it does generate the token?

I’m struggling really bad in this part of my project and I need someone’s help. I’m even willing to PAY $$$ for the help, that’s how desperate I am.


You don`t need to pay, because Yii2 is open source and much precious than your doubts.

Just you need to explain detail about your application like

  1. Are you handling same database for your android application and web application (means it is web services based or not).

  2. Clarify your database structure with Yii2 advanced application user table and go through User model that generated automatically in app(how auth works in yii2 app, it is session based).

Your example is bad because:

Password is visible in URL. You can resolve this by sending HTTP POST request and not GET request

If you are implementing REST API, then NO LOGIN OR SESSION should be created. Instead, your mobile application should send a TOKEN. TOKEN a token should be unique value, and it should be generated for every customer. When you mobile application contacts the REST API, it should send the TOKEN. When your application receives a token, then your application should check whether the token is valid and whether TOKEN exists. If yes, then send to mobile app the data it requested, if not, return error message.

There are classes which enables you to controll this process. Look at the following article: http://www.yiiframework.com/doc-2.0/guide-rest-controllers.html

Guys thanks for the tips and sorrry for being frustrated. I’m getting somewhere.

Now the authentication works but I’m not being able to retrieve the token so for every request that I make, I need to send the user credentials via HttpBasicAuth. This is my behavior:

        public function behaviors()


		$behaviors = parent::behaviors();


		$behaviors['authenticator'] = [

            'class' => HttpBasicAuth::className(),

			'auth' => function ($username, $password) {

                        $user = User::findByUsername($username);

                        return $user->validatePassword($password)

                            ? $user

                            : null;




		return $behaviors;


and I have implemented the findIdentityByAccessToken in my common/models/User

So now the next step would be retrieving the token or if there is no token, create one so next request I would just send the token and not the entire user credentials all the time. Am I thinking correctly? If so, any clue in how to proceed next?

Thank you so much guys!

Once again you are not doing something well!

Every phone should just send you a token. Token can be any unique string like: abbsdikiwo123!akksdjjawe.

When your phone sends a token, you have to check whether token exists, and if yes, then token is valid and user can execute your API function, otherwise, you should print error message.

You don’t need any HTTP Auth methods to implement this.


Sorry my lack of understanding so when am I going to user the username and password?

My understanding is phone would send user credentials than Yii would authenticate and send me the token back

than for the next request, I would just send the token. Am I thinking right?

PM me if possible. I really need help, has been more than a week that I’m trying.

You have the right idea. Duri is not covering how you Get the token in the first place.

Check out my login action:

public function actionLogin()


		$model = new LoginForm();

		if ($model->load(Yii::$app->getRequest()->getBodyParams(), '') && $model->login()) {

			return ['access_token' => Yii::$app->user->identity->getAuthKey()];

		} else {


			return $model;



See this tutorial, it has everything you need.


Awesome thank you very much!!! I got that working.

Now I create another method just to test actionTest()

and wrote just an echo ‘test’ there but it is showing Login required.

So next step is, how should I send the auth_key to my actionTest?