I do know how to use sessions/cookies. I do keep session and a cookie + token for a user logged in.
I’m using MVC structure (my own) and i have a Login.php controller. I also have User.php class that is a singleton class having only 1 instance.
My base controller gets the instance of User and stores in a variable like this:
abstract class Controller {
private $model;
private $user;
function __construct($model = '') {
..... //some code
$this->user = User::getInstance();
}
public function user() {
return $this->user;
}
}
In my login.php i have the following once the user submits form with user name and pass:
function logUserIn() {
if (! isset($_POST['UName']) || ! isset($_POST['UPass'])) {
$this->_404();
}
$uname = strtolower($_POST['UName']);
$pass = Hash::strongHashMD5($_POST['UPass']);
$token = $_POST['token'];
$isValid = $this->model->userCheck($uname, $pass);
$res = $this->validateUser($isValid, $token, $uname);
if ($res === false) {
echo 'User Does Not Exist!';
} else if ($res === 'Token_Error') {
echo 'Invalid Form Submission';
} else if ($res === true) {
//update token
$this->model->updateToken($isValid['ID'], $token, $_SERVER['REMOTE_ADDR']);
header("Location: ../login");
}
exit;
}
this is my method that validates user
private function validateUser($UInfo, $token, $UName) {
if ($UInfo !== false && isset($UInfo['ID']) && $UInfo['ID'] > 0) {
if ($UInfo['token'] == $token) {
return 'Token_Error';
} else {
$this->user()->setValues($UInfo['ID'], $UName, $token);
$this->user()->setSessions();
return true;
}
}
return false;
}
setsessions() method just sets the session/cookies of that user
Now everytime i want to access to see whether user is logged in or not i have to do it through controller and pass it to anywhere else.
Is there any better way of doing this? Is there any problem with my code in terms of security issues etc…
Any suggestions/advices will be appreciated, thanks guys
Currently you have domain business logic leaking all over the place. It should stay in the model layer (yes, in proper MVC the Model is a layer not a class or object), instead of being in the presentation layer.
Also, please stop hashing passwords with MD5. You might as well leave them as plain-text if you do so. Instead you should be using either
crypt()withCRYPT_BLOWFISHor PBKDF2 algorithm.Oh .. and redirecting people to 404, if one of the form fields is empty, seems a bit like overreacting.
anyway ..
the main topic:
The user authentication should happen entirely in the model layer (more precisely: in some
Recognitionservice). Controller should only provide model layer with data and notify the current view thatPOSThas request has been sent.The service, upon receiving data, should create domain object for the
Userand assign the values. If the data passes the validation (which is one of responsibilities of a domain object) the service should instantiate the appropriate data mapper and fetch the data from storage (which might or might not be an SQL database). If this goes thought with any problems (like missing record in storage), the domain object should conform the credentials.If any of this failed at some point, service should act upon the error state and put it in temporary storage (most likely – session).
When application gets to the part where view is supposed to generate the response, the view instance would react on the indication about
POSTrequest by checking for error state in model layer and perform the redirect by sending an HTTP header as only response based on whether or not there has been an error.