Designing Session and Authentication ...

dalecosp

I'm looking at the design of one of of properties for "v2.0". Which in terms of appearance at least will probably be about "Web 2.0" or, so [em]very[/em] 2010 ... but, whatever. I'd like some of the code behind it to at least have been thought about in a modern way.

I'm looking right now at the user/login/session/authentication systems. When you design an application, do you have separate classes for Session and Authentication, or are they combined? Or am I barking up the wrong tree ... ? 🙂

Thanks for any input you may have ...

NogDog

My initial impulse is that you would keep a "separation of concerns", unless you are positive that the Authentication class would be the only thing ever touching sessions?

halojoy

How I do it now.
I use only one class = Session. We could better call it UserSession, perhaps.
I use in this class only COOKIE and never use any SESSION variable.
In this class is also Checking for logged in, login, logout via COOKIE.
Also there are methods for AddUser, AddAdmin.

I find it practical to have it all in same Class.
Also the database connection I have moved into class UserSession.
This class include the config.php for this purpose.

The setcookie() function encrypts the value put in COOKIE.
When checking if user is logged in there is of course a decrypt.

This is my way and my personal thoughts.
I know most does it in the separate way, but for me this approach works just fine.

Weedpacket

Yes.... I handled sessions in much the same way when I was using PHP3.

Boy, was that tedious.

sneakyimp

I would say they should be separate. IIRC, default session handling in PHP is fairly involved in its own right. PHP offers the SessionHandler class so you can customize session handling and that class is complicated enough on its own. Keep in mind that the default session.save_handler is "files" -- and it's my understanding that this method of session handling can be a) insecure with default OS settings and b) a bottleneck on busy systems. In short, there are numerous fairly mind-stretching issues to be reckoned with that you might not want to mix that in with Authentication.

Authentication might involve more than just strict binary "is he or is he not authenticated" considerations. You might have Access Control Lists or some other complicated hierarchy or set-based concept of Authentication.

As always, code examples are helpful. I've been working with CodeIgniter (CI) lately and their session handling is automatic in many respects. CI is MVC so you generally write your web app's end points in Controllers. Your Controllers all extend the basic CI_Controller class. I extend this class with a couple of extra functions to encapsulate my most common authentication-related functions. In the constructor of our customized base controller, we call this function which checks session values to see if the current page request corresponds to an authenticated user:

	/**
	 * If a userid is stored in $_SESSION, this function retrieves the corresponding user
	 * object from the db and puts it in $this->user; also fetches user_profile.
	 *
	 * NOTE: this function is responsible for fetching all user-specific data upon login. Be sure to
	 * collect all such fetching here so that we can also modify the logout function to unset these
	 * values when logging a user out.
	 */
	protected function restore_user_object_from_session()
	{
		// if no $_SESSION value is defined, _get_userdata_item returns NULL
		// cast as int to prevent any funny business
		$current_userid = intval($this->get_userdata_item(self::SESSION_KEY_USER_ID));
		if ($current_userid) {
			// we have some user id! fetch the corresponding user
			$user = DB_user::fetch_by_pkey($this->db, $current_userid);
			if ($user) {
				// user found! extract important values
				$this->user = $user;
				$this->logged_in = true;
			} else {
				// no user found
				$this->user = null;
				$this->logged_in = false;
			}
		} else {
			// no user id specified
			$this->user = null;
			$this->logged_in = false;
		}

	// Get logged in user id or guest id
	$logged_in_user_id = ($this->user) ? $this->user->id : DB_db_log::GUEST_USER_ID;

	// Make user profile always available (contains user's language preference!)
	$this->user_profile = DB_user_profiles::fetch_by_userid($this->db, $logged_in_user_id);

}

We also have a function in our base controller base class that, beyond checking if a user is logged in or not, also checks if a user is authorized to perform some particular action. This function can be called from any controller method handling a page request to see if a user has some arbitrary permission.

	/**
	 * Checks whether the current session user has the specified permission. Note this will automatically return FALSE if there is no current user logged in (i.e, if $this->user is NULL)
	 *
	 * @param string $permission_name The associative key of the permission to be checked. Must be all uppercase, numbers, and underscores only.
	 *
	 * @return boolean TRUE if the current session user has permission to perform the operations specified by $permission_name
	 */
	protected function has_permission($permission_name)
	{
		return $this->ac->has_permission($this->user, $permission_name);
	}

The ac property (short name for Access Control) is a separate class from session data and it basically just checks the db for a record associating a userid with some uppercase string that names a permission, e.g., CAN_EDIT_OTHER_USERS.

It's also worth noting that some things that go into session have little or nothing to do with authentication. E.g., if you finish handling some elaborate POST operation (like me writing this post) and then want to redirect to some other page to prevent a double-post on page refreash, you can store a message in session to be retrieved and displayed on the other page to which you are redirecting. E.g, "POST 1234 successul!".