10. Checking persistent login credentials

If the user has chosen to let the script remember him/her then a cookie is saved, which is checked via the following method.

function _checkRemembered($cookie) {

list($username, $cookie) = @unserialize($cookie);
if (!$username or !$cookie) return;

$username = $this->db->quote($username);
$cookie = $this->db->quote($cookie);

$sql = "SELECT * FROM member WHERE " .
"(username = $username) AND (cookie = $cookie)";

$result = $this->db->getRow($sql);

if (is_object($result) ) {
$this->_setSession($result, true);
}

}

This function should not trigger any error messages at all. To make things more secure a cookie value is saved in the cookie not the user password. This way one can request a password for areas which require even higher security.

11. Ensuring valid session data

function _checkSession() {

$username = $this->db->quote($_SESSION['username']);
$cookie = $this->db->quote($_SESSION['cookie']);
$session = $this->db->quote(session_id());
$ip = $this->db->quote($_SERVER['REMOTE_ADDR']);

$sql = "SELECT * FROM member WHERE " .
"(username = $username) AND (cookie = $cookie) AND " .
"(session = $session) AND (ip = $ip)";

$result = $this->db->getRow($sql);

if (is_object($result) ) {
$this->_setSession($result, false, false);
} else {
$this->_logout();
}

}

So this is the final part, we check if the cookie saved in the session is right, the session id and the IP address of the visitor. The call to setSession is with a parameter to let it know that this is not the first login to the system and thus not update the IP and session id which would be useless anyway.

[ previous page ]