The login authTimeout is set to two hours but the system logout itself after 30 minutes if the system is idle. Any idea why that happened?
'components' => [
'user' => [
'identityClass' => 'app\models\User',
'enableAutoLogin' => false,
'authTimeout' => 7200,
'enableSession' => true,
],
]
Probably this is related to session timeout. Usual default value is about ~30 minutes, so session will expire before authTimeout takes effect. You need to adjust Session::$timeout value in your config:
'session' => [
'timeout' => 7200, // or greater
],
Related
I am using Yii2 (basic) and Yii2-user for a website with users. For most actions it's necessary to be authenticated. How could I make a controller / action accessible as a guest?
I have tried things like this in the guest's controller:
'rules' => [
[
'allow' => true,
'actions' => ['index', 'confirm', 'download-form', 'upload-form'],
]
],
And this should be enough. But nope. I suspect that it is Yii2-user module who gets in the way and always redirects me to login.
And I have added the module in the web.php configuration like this:
'components' => [
...
...
'user' => [
'class' => 'nkostadinov\user\components\User',
'identityClass' => 'nkostadinov\user\models\User',
'enableConfirmation' => false,
'as firstLoginPolicy' => [
'class' => 'nkostadinov\user\behaviors\FirstLoginPolicyBehavior'
],
],
],
Any idea?
I have solved it as follows.
In my web.php configuration I had this:
'modules' => [
...
],
'as access' => [
'class' => \yii\filters\AccessControl::className(),//AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error', 'request', 'change-password'],
'allow' => true,
'roles' => ['?']
],
[
//'actions' => ['logout', 'index'], // add all actions to take guest to login page
'allow' => true,
'roles' => ['#'],
],
],
],
'params' => [ ... ]
So, I have added this new rule to grant guest users access to all actions of this controller:
[
'controllers' => ['mymodule/my-controller'],
'allow' => true,
],
And that's it.
i suggest you to use mdmsoft/yii2-admin for authentication
How to completely disable auto-logout?
My current config in web.php:
'user' => [
'identityClass' => 'app\models\AdminUser',
'enableSession' => true,
'authTimeout' => 18000
]
I also tried this, but it didn't work (auto logged me out after 60 seconds):
'user' => [
'identityClass' => 'app\models\AdminUser',
'enableAutoLogin' => false,
'authTimeout' => 60
]
I don't want a user to logout after anytime he is inactive.
I can not find the answer here http://www.yiiframework.com/doc-2.0/yii-web-user.html
Just comment the line with 'autoTimeout'
'user' => [
'identityClass' => 'app\models\AdminUser',
'enableAutoLogin' => false,
//'authTimeout' => 60
]
Enable cookie-based login, cause session has a limited time and expired fast.
'user' => [
'identityClass' => 'app\models\AdminUser',
// this will allow to store auth info in cookie
'enableAutoLogin' => true
]
yii\web\User::login() method has attribute $duration
Yii::$app->user->login($identity, 60*60*24*365*10); // 10 years
I have session configuration as follows
'user' => [
'identityClass' => 'common\models\LoginForm',
'enableAutoLogin' => false,
'loginUrl' => ['/login'],
'identityCookie' => [
'name' => '_OwnerUser', // unique for frontend
],
'authTimeout' => 1800,
],
'session' => [
'name' => 'PHPOWNERSESSID',
'savePath' => sys_get_temp_dir(),
'timeout'=> 1800
],
What I want to do is keep user logged in for 3 days, I have gone through the SO. In which way I can implement this?
Is it necessary to use cookies for storing session? if yes then how?
I want to implement it in my existing project which is in production and I have not used cookie for login purpose
I use advanced template and I can successfully session timeout in 15 minutes but it doesn't depends on activity, so even user active in website after login he will be logout after 15 minutes.
I know the idea I should put trigger to increase timeout in SiteController, but don't know how to implement it.
So far here is my code
backend\config\main.php
'user' => [
'identityClass' => 'common\models\User',
'enableAutoLogin' => false,
'authTimeout' => 900
],
'session' => [
'class' => 'yii\web\Session',
'cookieparams' => ['httponly' => true, 'lifetime' => 900],
'timeout' => 900,
'useCookies' => true,
],
frontend\config\main.php
'user' => [
'identityClass' => 'common\models\UserCustomer',
'enableAutoLogin' => false,
//'enableSession' => true,
'authTimeout' => 900,
],
'session' => [
'class' => 'yii\web\Session',
'cookieparams' => ['httponly' => true, 'lifetime' => 900],
'timeout' => 900,
'useCookies' => true,
],
What should I do now? so I can implement session timeout if no activity in 15 minutes.
Thanks in advance.
I believe your problem is different and there is a better solution than putting a trigger in your controller.
Most probably you are not setting a duration for http://www.yiiframework.com/doc-2.0/yii-web-user.html#login()-detail. Search for the line where you login the user. Probably something like:
Yii::$app->user->login($this->getUser());
change to
Yii::$app->user->login($this->getUser(), 900);
There are also several reasons this might not be working, but this is the most obvious.
In Yii2 advanced template, they have the signup components for new users in the frontend.
I want to put that signup process into the /backend so that only admin users can create other new users.
So in moving SignupForm, signup view, adding the Signup action to the backend/SiteController, I'm getting 403 error "You are not allowed to perform this action".
Has anyone been able to put the signup process into the backend of the advanced template in Yii2 ?
What I want to do is have admin users create the new user and give the login details to the external party. The external party would then be advised to run the Password Reset, in order to set their own password. But effectively, its locking down the registration/signup process.
Its nothing that should stop you from making this work. But will need to change a few things along the way.
First off, I guess your error message comes from the AccessControl that the backend SiteController has:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
Change this to:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index', 'signup'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
Orelse this will result in the error message:
Forbidden (#403)
You are not allowed to perform this action.
Remember that the signup function is made for guests registering, and that it automatically out-of-the box log the user in when the account is created.
You have to remove this feature, and you might encounter some other bugs along the way.
Good Luck.