Destramic Posted May 16, 2015 Share Posted May 16, 2015 hey guys...i'm scratching my head over my authenticate method when it comes to remembering user or not! here are the setting for my sessions ini_set('session.gc_probability', 1); ini_set('session.gc_maxliftime', 60*60); session_set_cookie_params(60*60*7, '/'); now with the authentication there is 2 ways of being logged in. 1. if user wants to be remembered on log in, they have a authentication token saved in a session cookie and it if it matches with the users db row token the the user will log in automatically every time. 2. if user doesn't want to be remembered when they log in a user id and username is saved as a session where i then can confirm the in user db row when on site (sessions to be destroyed when browser closes) the problem and help i need is on number 2...because i have a lifetime on the sessions the user id and username always gets remembered even when browser is closed and re-opened...causing the user to be remembered when he/she doesn't want to be....how can i get around this issue please? some session values i want to remember and some i just don't! here is my method for authentication if needed. public function authenticate() { $db = $this->_db; $session = new Session; $session->start(); $user_id = $session->user_id; $username = $session->username; $identity = $this->_identity; $password = $this->_password; if ($session->authenication_token) { $parameters = array(":authentication_token" => $session->authentication_token); $query = "SELECT user_id, username, password, email_address, status, activation_code, timezone_offset, latitude, longitude, distance_unit, timestamp FROM users WHERE authentication_token = :token AND authenticated = 1"; $db->connect(); $result = $db->execute($query, $parameters); $row = $result->fetch_row(); $row_count = $result->row_count(); $result->free_result(); $db->close(); if ($row_count === 1) { $this->_authenticated = true; } } else if (!empty($id) && !empty($username)) { // check id and username with db // auth if successful } else if (!empty($identity) && !empty($password)) { if ($this->is_email_address($identity)) { $identity_column = "email_address"; } else { $identity_column = "username"; } $parameters = array(":identity" => $identity); $query = "SELECT user_id, username, password, email_address, status, activation_token, timezone_offset, latitude, longitude, distance_unit, timestamp FROM users WHERE " . $identity_column . " = :identity"; $db->connect(); $result = $db->execute($query, $parameters); $row = $result->fetch_row(); $row_count = $result->row_count(); $result->free_result(); $db->close(); if ($row_count === 1 && $this->verify_password($password, $row['password'])) { $this->_authenticated = true; if ($this->_remember) { $authentication_token = $this->get_token(); $session->authentication_token = $authentication_token; $parameters = array(':authentication_token' => $authentication_token, ':user_id' => $row['user_id'] ); $query = "UPDATE users SET authentication_token = :authentication_token WHERE user_id = :user_id"; $result = $db->execute($query, $parameters); } else { if ($session->authentication_token) { $session->destroy('authentication_token'); } $parameters = array(':user_id' => $row['user_id'] ); $query = "UPDATE users SET authentication_token = null WHERE user_id = :user_id"; $result = $db->execute($query, $parameters); } } } $this->record_login_attempt($identity); if ($this->_authenticated) { $session->user_id = $row['user_id']; $session->username = $row['username']; $session->login_time = time(); return true; } if ($this->brute_force_attack($identity)) { $this->block_account($identity); } return false; } help on this session matter would be extremely grateful...any criticism on how I'm doing things is also very welcome...thank you guy Quote Link to comment https://forums.phpfreaks.com/topic/296353-authentication-and-sessions/ Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.