Jump to content

authentication and sessions

Destramic

By Destramic
in PHP Coding Help

Recommended Posts

Destramic Advanced Member

Destramic

Posted
Posted

hey guys...i'm scratching my head over my authenticate method when it comes to remembering user or not!

 

here are the setting for my sessions

ini_set('session.gc_probability', 1);
ini_set('session.gc_maxliftime', 60*60);
session_set_cookie_params(60*60*7, '/');

now with the authentication there is 2 ways of being logged in.

 

1. if user wants to be remembered on log in, they have a authentication token saved in a session cookie and it if it matches with the users db row token the the user will log in automatically every time.

 

2. if user doesn't want to be remembered when they log in a user id and username is saved as a session where i then can confirm the in user db row when on site (sessions to be destroyed when browser closes)

 

the problem and help i need is on number 2...because i have a lifetime on the sessions the user id and username always gets remembered even when browser is closed and re-opened...causing the user to be remembered when he/she doesn't want to be....how can i get around this issue please?

 

some session values i want to remember and some i just don't!

 

here is my method for authentication if needed.

	public function authenticate()
	{
	    $db      = $this->_db;
	    $session = new Session;
	    $session->start();
	    
	    $user_id  = $session->user_id;
	    $username = $session->username;
	    $identity = $this->_identity;
	    $password = $this->_password;
	    
	    if ($session->authenication_token)
	    {
	        $parameters = array(":authentication_token"  => $session->authentication_token);
	      
	        $query = "SELECT user_id,
					         username,
					         password,
					         email_address,
					         status,
					         activation_code,
					         timezone_offset,
					         latitude,
					         longitude,
					         distance_unit,
					         timestamp
					  FROM users
					  WHERE authentication_token = :token
	                  AND authenticated = 1";
	        
	        $db->connect();
	        $result    = $db->execute($query, $parameters);
	        $row       = $result->fetch_row();
	        $row_count = $result->row_count();
	        $result->free_result();
	        $db->close();
	        
	        if ($row_count === 1)
	        {
	            $this->_authenticated = true;
	        }
	    }
	    else if (!empty($id) &&
	             !empty($username))
	    {
	        // check id and username with db
	        // auth if successful
	    }
	    else if (!empty($identity) &&
	             !empty($password)) 
	    {
    	    if ($this->is_email_address($identity))
    	    {
    	       $identity_column = "email_address";
    	    }
    	    else
    	    {
    	       $identity_column = "username";
    	    }
    	        
    	    $parameters = array(":identity" => $identity);
            $query      = "SELECT user_id,
    					          username,
    					          password,
    					          email_address,
    					          status,
    					          activation_token,
    					          timezone_offset,
    					          latitude,
    					          longitude,
    					          distance_unit,
    					          timestamp
    					   FROM users
    					   WHERE " . $identity_column . " = :identity";
              
    	    $db->connect();
    	    $result    = $db->execute($query, $parameters);
    	    $row       = $result->fetch_row();
            $row_count = $result->row_count();
    	    $result->free_result();
    	    $db->close();
    	    
    	    if ($row_count === 1 &&
    	        $this->verify_password($password, $row['password']))
    	    {
    	        $this->_authenticated = true;
    	        
    	        if ($this->_remember)
    	        {
    	            $authentication_token          = $this->get_token();
    	            $session->authentication_token = $authentication_token;
    	        
    	            $parameters = array(':authentication_token' => $authentication_token,
    	                                ':user_id'              => $row['user_id']
    	            );
    	        
    	            $query = "UPDATE users
	                          SET authentication_token = :authentication_token
	                          WHERE user_id = :user_id";
    	            $result  = $db->execute($query, $parameters);
    	        }
    	        else
    	        {
    	            if ($session->authentication_token)
    	            {
    	                $session->destroy('authentication_token');
    	            }
    	        
    	            $parameters = array(':user_id' => $row['user_id']
    	            );
    	            
    	            $query = "UPDATE users
	                          SET authentication_token = null
	                          WHERE user_id = :user_id";
    	            $result  = $db->execute($query, $parameters);
    	        }
    	    }
	    }

	    $this->record_login_attempt($identity);
	    
	    if ($this->_authenticated)
	    {
	        $session->user_id    = $row['user_id'];
	        $session->username   = $row['username'];
	        $session->login_time = time();
	        return true;
	    }
	    
	   if ($this->brute_force_attack($identity))
	   {
	       $this->block_account($identity);
	   }
	    
	   return false;	
	}

help on this session matter would be extremely grateful...any criticism on how I'm doing things is also very welcome...thank you guy

Link to comment
https://forums.phpfreaks.com/topic/296353-authentication-and-sessions/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.