How to check whether user is login in web application?

Question

I want to learn the whole details of web application authentication. So, I decided to write a CodeIgniter authentication library from scratch. Now, I have to make design decision about how to determine whether one user is login.

Basically, after user input username & password pair. A cookie is set for this session, following navigations in the web application will not require username & password. The server side will check whether the session cookie is valid to determine whether current user is login. The question is: how to determine whether cookie is valid cookie issued from server side?

I can image the most simple way is to have the cookie value stored in session status as well. For each HTTP request, compare the value from cookie and the value from server session. (Since CodeIgniter session library store session variables in cookies, it is not applicable without some tweak.) This method requires storage in server side.

For huge web application that is deployed in multiple datacenters. It is possible that user input username & password when browsing in one datacenter, while he/she access the web application in another datacenter later. The expected behavior is that user just input username & password once. As a result, all datacenters should be able to access the session status. That is possible not applicable even the session status is stored in external storage such as database.

I tried Google. I login Google with Asian proxy which is supposed to direct me to datacenters in Asian. Then I switch to North American proxy which should direct me to datacenters in North America. It recognize my login without asking username and password again.

So, is there any way to determine whether user is login without server side session status?

Answer 1

No, that's impossible.
These datacenters is not isolated from each other but interconnected.
It is distributed but solid "external storage such as database"

Cross-domain authorization is another matter but easily achieved too.

What's the use anyway of such an information - just the fact the user logged in, without any user options, credentials - anything? Why without a database on the server side?

Answer 2

Useful resources:

• session_save_handler allows you to replace PHP's file-based session handling by your own mechanisms, e.g. connecting to an external database

• this SO question deals with mySQL replication.

This is only one of many issues when going multi-server with a PHP solution - I'm sure there is more to find on the topic in SO's search.

Also, consider looking on Server Fault.

Answer 3

Assuming that the user is authenticated just because something which looks like a session cookie exists is a very bad idea. Also your code is going to become very messy when you start trying to measure facts about the session without calling session_start() first. A better solution is to store the fact the user is authenticated (and potentially some of the authorization infromation) in the session itelf, e.g.

 session_start();
 if (!$_SESSION['auth_user']) {
    if ($_POST['username'] && $_POST['password'] 
       && check_valid($_POST['username'],$_POST['password']) {
          $_SESSION['auth_user']=$_POST['username'];
       } else {
          // user is not logged in
          header('Location: /login.php');
          print 'You are not logged in';
          exit;
       }
 }

C.