Jump to content

Recommended Posts

So to get started somewhere i decided to build auth class. How good is this? how secure? What would you do to improve it? Thx

 

Some info:

  • phpass is used from password hashing
  • many things/features aren't finished

 

<?php
class UserAuth{

   /**
   * User name
   * 
   * @var mixed
   */
   private $userName;

   /**
   * User email
   * 
   * @var mixed
   */
   private $userEmail;

   /**
   * User password
   * 
   * @var mixed
   */
   private $userPassword;

   /**
   * Database handler
   * 
   * @var PDO 
   */
   private $dbh;

   /**
   * Hashed password
   * 
   * @var PasswordHash
   */
   private $hasher=null;

   /**
   * Holds session object
   * 
   * @var Session
   */
   private $session;

   public function __construct()
   {
       $this->hasher = new PasswordHash(8, false); 
       $this->dbh=new PDO('mysql:dbname=auth;host=localhost','root','ssdksdskdj'); 
       $this->session=new Session();
   }

   /**
    * Set user input data
    * 
    * @param string $userName
    * @param string $userEmail
    * @param string $userPassword
    */
   public function setData($userName=null, $userEmail=null, $userPassword=null)
   {
       $this->userName=$userName;
       $this->userEmail=$userEmail;
       $this->userPassword=$userPassword;
   }

   /**
    * Check  is user logged in or not
    * 
    * @return boolean
    */
   public function isLoggedIn()
   {
       if(isset($this->session->currentUser)){
           return true;
       }
       else{
           return false;
       }
   }

   /**
   * Insert new user in db
   * 
   * @return bool If user is inserted returns true
   */
   public function register()
   {
       //get hashed password using phpass library
       $hash=$this->hasher->HashPassword($this->userPassword);

       try{

          //hash fail if its below 20 chars
          if(strlen($hash) > 20){

              //user data
               $data=array(
                   $this->userName,
                   $hash,
                   $this->userEmail
               );

               //prepare
               $sth = $this->dbh->prepare("INSERT INTO users (userName, userPassword, userEmail) value (?, ?, ?)");

               //go
               if($sth->execute($data)){
                   return true;
               }
               else{
                   throw new Exception('Faild to insert user!');
               }
           }
           else{
               throw new Exception('Hash faild');
           }

       }
       catch(Exception $e){
           echo '<p>Something bad happend!</p>'; 
           //todo: after this save error 
       }

   }

   /**
   * Login user into system
   * 
   * @return boolen Returns true if user was succesufully logged in 
   */

   public function login()
   {    
       //grabb user data
       $sth=$this->dbh->prepare("SELECT userId,userName,userEmail,userPassword FROM users WHERE userName=?");

       //data
       $data=array(
           $this->userName
       );

       //go
       $sth->execute($data);
       $userData=$sth->fetch(PDO::FETCH_ASSOC);
       try{
           //if we've got something go
           if($userData){  

               //compare passwords           
               $result=$this->hasher->CheckPassword($this->userPassword, $userData['userPassword']);


               //if fine store user id in session
               if($result){

                   //if user is not already logged in then proceed
                    if(!isset($this->session->currentUser)){

                       $this->session->currentUser=$userData['userId'];
                       $this->session->currentToken=$this->hashToken();


                       //insert user data into loggedin table
                       $data=array(
                           $userData['userId'],
                           session_id(),
                           $this->session->currentToken
                       );


                       //prepare
                       $sth = $this->dbh->prepare("INSERT INTO loggedinusers (loggedInUser, loggedInSession, loggedInToken) value (?, ?, ?)");
                       if($sth->execute($data)){
                           return true;
                       }
                   }
                }                 
           }
           else{
               throw new Exception('Faild to retrive data from db!');
           }
       }
       catch(Exception $e){
           echo '<p>Something bad happend!</p>'; 
           //todo: after this save error
       }
   }

   /**
   * Logout user
   * 
   */

   public function logout()
   {
       try{
           //check is user logged in
           if(isset($this->session->currentUser)){


               //delete session data
               $sth=$this->dbh->prepare("DELETE FROM loggedinusers WHERE loggedInUser=?");

               //data
               $data=array(
                   $this->session->currentUser
               );

               //go
               if($sth->execute($data)){
                   //unset session
                   $this->session->unsetAll();
                   return true;
               }else{
                   throw new Exception('Session data was not deleted!');
               }              
           }
       }
       catch(Exception $e){
           echo '<p>Something bad happend!</p>'; 
           //todo: after this save error
       }
   }

   /**
    * Check that a users session is legitimate
    * 
    * @return boolean
    */

   public function checkSession()
   {
           //grabb session data
           $sth=$this->dbh->prepare("SELECT loggedInSession,loggedInToken FROM loggedinusers WHERE loggedInUser=?");

           //data
           $data=array(
               $this->session->currentUser
           );

           //go
           $sth->execute($data);
           $sessionData=$sth->fetch(PDO::FETCH_ASSOC);

           try{
               //go
               if($sessionData){

                   //get current session ID
                   $session_id=session_id();
                   //compare
                   if($session_id == $sessionData['loggedInSession']) {
                           //Id and token match, refresh the session for the next request
                           $this->refreshSession();
                           return true;
                   }          
               }
               else{
                   throw new Exception('Faild to retrive data from db!');
               }
           }
           catch(Exception $e){
               echo '<p>Something bad happend!</p>';
           }
   }

   /**
    * Refresh current session id and update databse with new session data
    */
   private function refreshSession()
   {
           //Regenerate id
           session_regenerate_id();
           //Regenerate token
           $random = $this->randomString();
           //Build the token
           $token = $_SERVER['HTTP_USER_AGENT'] . $random;
           $token = $this->hashToken($token); 


           //Store in session
           $this->session->currentToken = $token;

           //delete previous data
           //delete session data
           $sth=$this->dbh->prepare("DELETE FROM loggedinusers WHERE loggedInUser=?");

           //data
           $data=array(
                $this->session->currentUser
           );


           //go
           if($sth->execute($data)){
                //insert new info
                $data=array(
                     $this->session->currentUser,
                     session_id(),
                     $token
                );
                //prepare
                $sessionDataInsert = $this->dbh->prepare("INSERT INTO loggedinusers (loggedInUser, loggedInSession, loggedInToken) value (?, ?, ?)");


                if($sessionDataInsert->execute($data)){
                   return true;
                } 
           }     
   }

   /**
   * Return hashed string
   * 
   * @return string
   */
   private function hashToken()
   {
       $token = $_SERVER['HTTP_USER_AGENT'] . $this->randomString();
       $result = hash_hmac('sha512', $token, 'opjsd4ersdfsadfasdfasdfasdfdfgziqwopjasodjjsdgfw7ezr6342wezrw734');
       return $result;    
   }

   /**
   * Return random string with max lenght of 50 chars (default)
   * 
   * @param int $length
   * @return string $string
   */
   private function randomString($length = 50)
   {
       $characters = '0123456789abcdefghijklmnopqrstuvwxyz';
       $string = '';    


       for ($p = 0; $p < $length; $p++) {
           $string .= $characters[mt_rand(0, strlen($characters)-1)];
       }


       return $string;
   }
}
?>

<?php 
class Session {

   const SECRET='sodifpsodfuspiodf748p5ćoićt3495349eort';
   private $hash;
   private $key;
   private $test;


   public function __construct()
   {
       $this->hash=md5(dirname(__FILE__) . self::SECRET);
       $this->key='sess_' . $this->hash;
   }

   /**
   * Creat new session and set value 
   *   
   * @param mixed $name
   * @param mixed $value
   */
   public function __set($name,$value) 
   {
       $_SESSION[$this->key][$name] = $value;
   }

   public function & __get($name) 
   {
       return $_SESSION[$this->key][$name];
   }


   public function __isset($name) 
   {
       return isset($_SESSION[$this->key][$name]);
   }

   public function __unset($name) 
   {
       unset($_SESSION[$this->key][$name]);
   }

   public function unsetAll() 
   {
       unset($_SESSION[$this->key]);
   }
}
?>

Link to comment
https://forums.phpfreaks.com/topic/272968-how-good-is-this-auth-class/
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.