PHPackages                             sam-it/yii2-urlsigner - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. sam-it/yii2-urlsigner

ActiveYii2-extension[Security](/categories/security)

sam-it/yii2-urlsigner
=====================

Secure URL signing and validation for the Yii2 framework

v4.2.2(3mo ago)634.3k—8.3%3MITPHPPHP &gt;= 8.4CI passing

Since Jul 12Pushed 3mo agoCompare

[ Source](https://github.com/SAM-IT/yii2-urlsigner)[ Packagist](https://packagist.org/packages/sam-it/yii2-urlsigner)[ RSS](/packages/sam-it-yii2-urlsigner/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (8)Dependencies (10)Versions (15)Used By (0)

[![Scrutinizer Code Quality](https://camo.githubusercontent.com/43d00a8f413073e97ed3a560337f0034702d55875c9dc93b7009ec3d4a724dd8/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f53414d2d49542f796969322d75726c7369676e65722f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/SAM-IT/yii2-urlsigner/?branch=master)[![Code Coverage](https://camo.githubusercontent.com/76549666ad9251cfacdc73bf67e00e965f92e50d415c87f391f6c4fbbe99e48e/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f53414d2d49542f796969322d75726c7369676e65722f6261646765732f636f7665726167652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/SAM-IT/yii2-urlsigner/?branch=master)[![Build Status](https://camo.githubusercontent.com/13183533c59deba874fbfcdf41870e8688e1e56376df2ad1327efe31df538157/68747470733a2f2f7472617669732d63692e6f72672f53414d2d49542f796969322d75726c7369676e65722e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/SAM-IT/yii2-urlsigner)

yii2-urlsigner Secure URL signing and validation.
=================================================

[](#yii2-urlsigner-secure-url-signing-and-validation)

The goal of this component is to enable stateless but secure URL validation. This can be useful, for example, when doing email validation or password reset.

The idea is simple, consider I want to change my email, the system could send me a link like this:

- [http://myserver.example/newemail?user\_id=1&amp;email=newemail@fakemail.example](http://myserver.example/newemail?user_id=1&email=newemail@fakemail.example)

Of course, this is very insecure, and no one actually (hopefully) does it like this. One solution is to generate a random token:

-

This is secure, but requires keeping state on the server. This package solves the problem by signing the URL.

- [http://myserver.example/newemail?user\_id=1&amp;email=newemail@fakemail.example&amp;hmac=fffwejggweorwiejfewoijwf](http://myserver.example/newemail?user_id=1&email=newemail@fakemail.example&hmac=fffwejggweorwiejfewoijwf)

This allows us to verify that the URL was actually created by us therefore can be trusted.

Upgrade to v4
=============

[](#upgrade-to-v4)

The Yii2 component and the actual signer have been split into two separate classes. In my opinion, you should use the `UrlSigner` class directly, configuring it using a closure in your DI config. If you need to use the component with array configuration, you may use the `UrlSignerComponent` class.

Deprecated function `signParams` has been removed, use `sign` instead. `UrlSigner::calculateHMAC()` has been deprecated.

Upgrade to v5
=============

[](#upgrade-to-v5)

In v5 for better static analysis we have removed configuration options. The names for query parameters are now fixed. If you previously customized them you cannot switch to v5 without breaking existing code.

Example
=======

[](#example)

```
class RequestResetAction {

    public function run(
        UrlSigner $urlSigner,
        int $id,
        string $email
    ) {
        $user = User::find()->andWhere([
            'id' => $id,
            'email' => $email
        ])->one();

        $params = [
            'id' => $user->id,
            'crc' => crc32($user->password_hash),
        ];

        /**
         * Sign the params.
         **/
        $signed = $urlSigner->sign('/user/do-reset', $params, false, (new DateTime())->add(new DateInterval('PT1H')));

        $user->sendPasswordReset($signed);

    }
}

class DoResetAction {

    public function behaviors()
    {
        return [
            'hmacFilter' => [
            'class' => HmacFilter::class,
            'signer' => $this->controller->module->get('urlSigner'),
        ];

    }
    public function run(
        int $id
    ) {
        // Here we can trust that the user got here through the link that we sent.

    }
}
```

Do not share secrets across hosts
=================================

[](#do-not-share-secrets-across-hosts)

If you use this component in a multi-host application you must make sure each host uses a different secret. The URL signing takes into account the absolute route and all given parameters, anything else is excluded from the signature and from validation. This means that if you have a structure like this:

-
-

And they use the same route, for example `/user/do-reset`, for password resets, a normal user will be able to change the domain without invalidating the signature.

###  Health Score

57

—

FairBetter than 98% of packages

Maintenance78

Regular maintenance activity

Popularity34

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity87

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 95.7% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~229 days

Recently: every ~19 days

Total

13

Last Release

118d ago

Major Versions

v1.2.0 → v2.0.02018-10-08

v2.0.0 → v3.0.02025-06-12

v3.0.0 → v4.0.02025-11-03

PHP version history (2 changes)v3.0.0PHP &gt;= 8.3

v4.0.0PHP &gt;= 8.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/18b13c534e3812b66a72645fe215301b54fc4d288f6396fee9385b681e27da18?d=identicon)[SamMousa](/maintainers/SamMousa)

---

Top Contributors

[![SamMousa](https://avatars.githubusercontent.com/u/547021?v=4)](https://github.com/SamMousa "SamMousa (44 commits)")[![joester89](https://avatars.githubusercontent.com/u/9624366?v=4)](https://github.com/joester89 "joester89 (2 commits)")

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StyleECS

Type Coverage Yes

### Embed Badge

![Health badge](/badges/sam-it-yii2-urlsigner/health.svg)

```
[![Health](https://phpackages.com/badges/sam-it-yii2-urlsigner/health.svg)](https://phpackages.com/packages/sam-it-yii2-urlsigner)
```

###  Alternatives

[nickcv/yii2-encrypter

Openssl Encrypter for Yii2

19640.0k1](/packages/nickcv-yii2-encrypter)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)