boha Posted January 26, 2009 Share Posted January 26, 2009 Hello I made my own authentication class, and I wonder if someone could tell me what he thinks about it. Is there anything I should add or remove ? I'm also interested what do you think of security of this code. This is how my database table looks: user_uiduser_passuser_sid bohab4793a35a6ccd8a21eb690ad1d9b85f9098f6bcd4621d373cade4e832627b4f6 My auth class: <?php class Auth { //Database object private $_db; //Parameters (db tables, ...) private $_params; public function __construct(PDO $db, $params) { $this->_db = $db; $this->_params = $params; } //Check if user is authenticated public function isAuthenticated() { if (isset($_SESSION['auth']['sid']) && isset($_SESSION['auth']['uid'])) { return $this->_validateSid($_SESSION['auth']['uid'], $_SESSION['auth']['sid']); } return false; } //Get username public function getAuth() { if (isset($_SESSION['auth']['sid']) && isset($_SESSION['auth']['uid'])) { return $_SESSION['auth']['uid']; } return false; } // Set session cookies public function setAuth($uid, $pass) { if ($this->_validate($uid, $pass)) { $_SESSION['auth']['uid'] = $uid; $_SESSION['auth']['sid'] = $this->_updateSid($uid); if ($_SESSION['auth']['sid']) { return true; } } return false; } // logout public function clearAuth() { $_SESSION['auth']['uid'] = false; $_SESSION['auth']['sid'] = false; } private function _validate($uid, $pass) { $query = sprintf('SELECT COUNT(*) FROM %s WHERE user_uid = ? AND user_pass = ?', $this->_params['table']); $sth = $this->_db->prepare($query); $sth->execute(array($uid, $this->_cryptPassword($pass))); return ($sth->fetchColumn() == 1) ? true : false; } private function _validateSid($uid, $sid) { $query = sprintf('SELECT COUNT(*) FROM %s WHERE user_uid = ? AND user_sid = ?', $this->_params['table']); $sth = $this->_db->prepare($query); $sth->execute(array($uid, $sid)); return ($sth->fetchColumn() == 1) ? true : false; } private function _updateSid($uid) { $sid = $this->_generateSid(); $query = sprintf('UPDATE %s SET user_sid = ? WHERE user_uid = ?', $this->_params['table']); $sth = $this->_db->prepare($query); $result = $sth->execute(array($sid, $uid)); if ($result) { return $sid; } return false; } private function _cryptPassword($pass) { return md5($pass); } private function _generateSid() { return md5(mt_rand() . time()); } } ?> And example: <?php require_once 'auth.php'; session_start(); /* Connect to an database */ $dsn = 'mysql:dbname=testdb;host=127.0.0.1'; $user = 'username'; $password = 'password'; try { $dbh = new PDO($dsn, $user, $password); } catch (PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); } $auth = new Auth($dbh, array('table' => 'users')); if ($_POST['login']) { try { $auth->setAuth($_POST['username'], $_POST['password']); } catch (PDOException $e) { echo $e->getMessage(); } } var_dump($auth->getAuth()); var_dump($auth->isAuthenticated()); ?> <form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> <input type="text" name="username" /> <input type="text" name="password" /> <input type="submit" value="login" name="login" /> </form> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.