Jump to content

Recommended Posts

hey guys...i'm scratching my head over my authenticate method when it comes to remembering user or not!

 

here are the setting for my sessions

ini_set('session.gc_probability', 1);
ini_set('session.gc_maxliftime', 60*60);
session_set_cookie_params(60*60*7, '/');

now with the authentication there is 2 ways of being logged in.

 

1. if user wants to be remembered on log in, they have a authentication token saved in a session cookie and it if it matches with the users db row token the the user will log in automatically every time.

 

2. if user doesn't want to be remembered when they log in a user id and username is saved as a session where i then can confirm the in user db row when on site (sessions to be destroyed when browser closes)

 

the problem and help i need is on number 2...because i have a lifetime on the sessions the user id and username always gets remembered even when browser is closed and re-opened...causing the user to be remembered when he/she doesn't want to be....how can i get around this issue please?

 

some session values i want to remember and some i just don't!

 

here is my method for authentication if needed.

	public function authenticate()
	{
	    $db      = $this->_db;
	    $session = new Session;
	    $session->start();
	    
	    $user_id  = $session->user_id;
	    $username = $session->username;
	    $identity = $this->_identity;
	    $password = $this->_password;
	    
	    if ($session->authenication_token)
	    {
	        $parameters = array(":authentication_token"  => $session->authentication_token);
	      
	        $query = "SELECT user_id,
					         username,
					         password,
					         email_address,
					         status,
					         activation_code,
					         timezone_offset,
					         latitude,
					         longitude,
					         distance_unit,
					         timestamp
					  FROM users
					  WHERE authentication_token = :token
	                  AND authenticated = 1";
	        
	        $db->connect();
	        $result    = $db->execute($query, $parameters);
	        $row       = $result->fetch_row();
	        $row_count = $result->row_count();
	        $result->free_result();
	        $db->close();
	        
	        if ($row_count === 1)
	        {
	            $this->_authenticated = true;
	        }
	    }
	    else if (!empty($id) &&
	             !empty($username))
	    {
	        // check id and username with db
	        // auth if successful
	    }
	    else if (!empty($identity) &&
	             !empty($password)) 
	    {
    	    if ($this->is_email_address($identity))
    	    {
    	       $identity_column = "email_address";
    	    }
    	    else
    	    {
    	       $identity_column = "username";
    	    }
    	        
    	    $parameters = array(":identity" => $identity);
            $query      = "SELECT user_id,
    					          username,
    					          password,
    					          email_address,
    					          status,
    					          activation_token,
    					          timezone_offset,
    					          latitude,
    					          longitude,
    					          distance_unit,
    					          timestamp
    					   FROM users
    					   WHERE " . $identity_column . " = :identity";
              
    	    $db->connect();
    	    $result    = $db->execute($query, $parameters);
    	    $row       = $result->fetch_row();
            $row_count = $result->row_count();
    	    $result->free_result();
    	    $db->close();
    	    
    	    if ($row_count === 1 &&
    	        $this->verify_password($password, $row['password']))
    	    {
    	        $this->_authenticated = true;
    	        
    	        if ($this->_remember)
    	        {
    	            $authentication_token          = $this->get_token();
    	            $session->authentication_token = $authentication_token;
    	        
    	            $parameters = array(':authentication_token' => $authentication_token,
    	                                ':user_id'              => $row['user_id']
    	            );
    	        
    	            $query = "UPDATE users
	                          SET authentication_token = :authentication_token
	                          WHERE user_id = :user_id";
    	            $result  = $db->execute($query, $parameters);
    	        }
    	        else
    	        {
    	            if ($session->authentication_token)
    	            {
    	                $session->destroy('authentication_token');
    	            }
    	        
    	            $parameters = array(':user_id' => $row['user_id']
    	            );
    	            
    	            $query = "UPDATE users
	                          SET authentication_token = null
	                          WHERE user_id = :user_id";
    	            $result  = $db->execute($query, $parameters);
    	        }
    	    }
	    }

	    $this->record_login_attempt($identity);
	    
	    if ($this->_authenticated)
	    {
	        $session->user_id    = $row['user_id'];
	        $session->username   = $row['username'];
	        $session->login_time = time();
	        return true;
	    }
	    
	   if ($this->brute_force_attack($identity))
	   {
	       $this->block_account($identity);
	   }
	    
	   return false;	
	}

help on this session matter would be extremely grateful...any criticism on how I'm doing things is also very welcome...thank you guy

Link to comment
https://forums.phpfreaks.com/topic/296353-authentication-and-sessions/
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.