ansaurus

Question

Role of Session in user authentication/login?

Answer 1

+3 A:

The session is a good place for holding user data that you want to have managed in some sort of state across various pages or if you need a fast accessible way to get at it without hitting the database. It is a bad idea to keep secure information (re: passwords/etc) in the session, but rapid access information like username, name, email address, preferences, etc is all good data to put in the session. Try to keep it simple though.

Keep in mind though, that the session (or related cookie) should only ever be used for identification. It should not be used for authentication.

Authentication object is a good method. Make sure that it only holds secure information as long as it needs to and that it has all the necessary functions available to keep sensitive data protected.

Joel Etherton 2010-01-22 04:17:07

I agree, and so storing the password is not on the list of user data that is stored.

Andre 2010-01-22 04:27:02

Answer 2

+3 A:

EDIT:

Simply calling your authenticate method should trigger logic within Auth to store the proper data in the session (or some other data store) and Auth should also be used exclusively to retreive/revoke this info. So using the example form your comment it might be:

class Auth {
  public static function authenticate($identity, $pass)
  {
     // do lookup to match identity/pass if its good then

     /* assume $auth is an array with the username/email or 
        whatever data you need to store as part of authentication */
     Session::set('auth', $auth);
     return true;

     // if auth failed then 
     Session::set('auth', array('user'=>'anonymous'));
     return false;
  }

  public function isAuthenticated()
  {
     $auth = Session::get('auth');
     if(!$auth)
     {
       return false;
     }

     return (isset($auth['user']) && $auth['user'] !== 'anonymous'); 
   }
}

[...] as it stands right now I feel as though I'm getting too much wrapped up in my Session object.

And id agree. Idelaly for authentication/credentials you shoudl only be interacting with the Auth/Acl object(s). They would then utilize the session as stateful store... but you shouldnt care that its even stored in session. The code utilizng the Auth/Acl object(s) should be completely unaware of this fact.

For example:

//Bad

if($session->get('authenticated', 'auth'))
{
  // do stuff
}


// also bad

if(isset($_SESSION['authenticated']))
{
  // do stuff
}


//Good

if($auth->isAuthenticated())
{
  // do stuff
}

// inside $auth class it might look like this
public function isAuthenticated()
{
  $store = $this->getSotrage(); // assume this returns the $_SESSION['auth']
  return isset($store['authenticated']);
}

prodigitalson 2010-01-22 04:18:30

Just so I'm understanding you correctly, your suggesting I do authentication directly, then getting result and storing it in my Session?Something along the lines of:if ($result = Auth::authenticate($email, $psswd)) { Session::set('user', $result);}

Andre 2010-01-22 04:24:45

no all inter action with the session should be in the auth class.. you shoudl never outside of the auth class be accessing the auth values in the session.

prodigitalson 2010-01-22 04:27:29

Just some clarification when you say auth values, I take it to mean the credentials used for authentication those being username and more specifically the password.

Andre 2010-01-22 05:06:53

Well you shouldnt be storing the password or any other privileged info in the session... what i mean is for example the username, and pk for that user in the db or maybe a list of "access groups" or something.

prodigitalson 2010-01-22 06:19:12

The information being stored is along the lines of what Joel Etherton referenced in his response, that being email address, username, account preferences. So only those things related to the user.Also you touched on it but it wasn't in your example but your recommendation is that the logout operation also be carried on by the Auth object -- possibly in the form of a deauthenticate method.

Andre 2010-01-22 07:24:38

@Andre:Correct. Normally though i would keep account prefs separate from authentication and access that from the `Session` class. The important thing is the separation of concerns (SoC). In order to have clear SoC i generally Namespace my session so that i have top level keys like `'auth', 'user', 'breadcrumb'` etc.. Then each one of these namespaces is managed by a particular class and actually stores the necessary data for each class/concern.

prodigitalson 2010-01-22 15:41:24

As it stands now I'm authenticating the user credential against a table in a db. By JOINing that table with those storing the user information -- name, email, birthdate, gender, etc.. -- I'm able to do the authentication and get user info in one query. As opposed to authenticating then getting the user info by way of a second query in my Session. I find the use of one query in my Auth object acceptable as authentication should not be possibly if user information doesn't exist. I'm curious to hear your thoughts on this.

Andre 2010-01-24 19:02:28

ansaurus

tags:

views:

answers:

Role of Session in user authentication/login?

related questions