As a workaround, I ended up setting the UID when I successfully validate a cookie. This still sort of erks me and I am thinking about making the whole user authentication system object oriented such that the UID is directly pulled from the database rather than a database query from the username in the cookie. Luckily I strip beginning/ending whitespace before inserting usernames in the database so its not that unsafe. :glare:
// the encryptString function salts and hash whatever string is passed
// the getUserID function is a mySQL query that grabs the UID based on username
function validateCookie()
{
unset($username, $uid, $password, $auth_token);
if ($_COOKIE['login']) {
list($cookie_username, $cookie_hash) = split(',',$_COOKIE['login']);
$username_encrypted = encryptString($cookie_username);
$cookie_hash_clean = rtrim($cookie_hash);
if ($username_encrypted == $cookie_hash_clean) {
global $username, $uid, $auth_token;
$username = $cookie_username;
$auth_token = 1;
$uid = getUserID($username);
return true;
} else {
loginMsg('unable to read cookie');
return false;
}
} else {
return false;
}
}
If you guys have any tips on how to resolve my core problem or improve the code, please let me know. 🙂
