Hey there! Let's break down your two Yii2 session-related questions and fix the issue with your existing code.

Yii2 has built-in configurations to handle session expiration and auto-logout—no complex custom code needed. Here's how to set it up:

• Configure Session Timeout: Define how long an inactive session stays alive in config/web.php. This controls when the session itself expires:

'components' => [
    'session' => [
        'class' => 'yii\web\Session',
        'timeout' => 1800, // 30 minutes (in seconds)
        'cookieParams' => [
            'lifetime' => 1800, // Match session timeout to keep the session cookie in sync
        ],
    ],
    // ... other components
],

• Add User Auth Timeout: For more precise control over logged-in user expiration, configure the user component's authTimeout. This specifically handles the user's logged-in state, even if the session is still active:

'user' => [
    'identityClass' => 'app\models\User',
    'enableAutoLogin' => true,
    'authTimeout' => 1800, // Auto-logout after 30 mins of inactivity
],

Your previous base controller code had a couple of logic gaps—let's fix that. The ideal spot to handle global login checks is the beforeAction method in your base Controller.php (the one all other controllers extend). This method runs before every action, making it perfect for enforcing login requirements.

The Working Code: #

Replace your existing snippet with this in your base controller:

public function beforeAction($action)
{
    // Always run the parent's beforeAction first to maintain default Yii behavior
    if (!parent::beforeAction($action)) {
        return false;
    }

    // List actions that don't require login (adjust these to match your app's public pages)
    $allowedActions = [
        'site/login',
        'site/error',
        'site/signup',
        // Add other public actions here (e.g., 'site/forgot-password')
    ];

    $currentAction = $this->id . '/' . $this->action->id;

    // If current action isn't public and user is a guest (including session expiration)
    if (!in_array($currentAction, $allowedActions) && Yii::$app->user->isGuest) {
        // Redirect to login page, and pass the original URL so users return after logging in
        return Yii::$app->response->redirect([
            'site/login',
            'returnUrl' => Yii::$app->request->url
        ]);
    }

    return true;
}

Why Your Original Code Failed: #

• The condition !Yii::$app->controller->id == 'site' is logically flawed (it should be Yii::$app->controller->id !== 'site'), and even that's not ideal—you might have public actions in other controllers too.
• Checking !$session->isActive isn't reliable: Yii automatically tries to start a new session if the old one expired, so isActive will still return true, but the user's identity will already be lost. Instead, Yii::$app->user->isGuest is the correct way to check if the user is no longer logged in (whether due to session expiration or manual logout).

内容的提问来源于stack exchange，提问作者Alesh