2

Before using any frameworks I have kept track of logged in users using $_SESSION from PHP and I was wondering whether there were any other ways to accomplish the same thing in a more elegant way.

I saw an answer on stackoverflow that looked interesting.

I heard about something called tokens (which I understand to be a string) and I noticed it in the URL,but I would like to know:

  1. what is the purpose of the token?
  2. how to generate it?
  3. do I have to update it in the database when the user has logged out ?
  4. Is it a good practice to create a cookie with the token and check against it?

As far as I know users can restrict cookies being created.

...And I was wondering if (for example using ZF2) I would like to restrict the access for user on certain pages if he is not logged in. I thought I could encapsulate the logic in a service class. What seems pretty redundant is that in each module I want to use the service I would have to do a check something like isUserLoggedIn() and decide what to do (if not logged in maybe redirect to the login page) and this doesn't seem very DRY.

Community
  • 1
  • 1
user3009269
  • 442
  • 6
  • 14

2 Answers2

2

First of all: To put login-tokens in the URL (GET-Method) is the worst thing you can do.

If somebody else knows the URL (for example when the users shares the link or when somebody in the local network scans the requests) he will be automatically logged in without ever knowing the login credentials. Sending it as POST would increase the security here if you use HTTPS.

But generally: YES - a token is basically nothing else than a random string. So generating tokens is pretty simple - you only need to make sure that they are unique.

With your idea to save a login-token as a cookie you are on the right track BUT: This is exactly what a SESSION does. Sessions are tokens that are used to identify a user.

The post you mentioned is basically an addition to this. Sessions naturally don't do anything else that saving information that are related to a user (or to be more specific: his session id). In the post they manually added functionality to the session-based authorization by adding timeouts (automatically logged out after XX seconds) and polling strategies (user needs to confirm that he is still alive every X seconds - otherwise he will be logged out).

Of course you can also save login/session information in your database. So you can save a token (which is the session ID within $_SESSION) and the associated information manually in this way. But by default PHP handles the "saving" of the $SESSION by itself - as you can see here. So if there is no need to create your own session handling I would recommend to use PHPs own sessions.

For your ZF2 problem I would also recommend to use ACLs. If you don't want to check permissions on every single page you could try to extend the routing classes or to import a simple "helper" function that does something like it is described in the post above. It checks "globally" for the privileges from the ACL and handles them dynamically for every page. So you don't need to write code (only the acl) for every page you want to "lock".

Hope this helps! ;)

Community
  • 1
  • 1
Daniel K.
  • 1,189
  • 1
  • 10
  • 26
0

I am not sure if this is what you want but there is something call ACL (Access Control Level), you can define roles, so what you meant is that all 'guest' will be redirected to login page.

http://ivangospodinow.com/zend-framework-2-acl-setup-in-5-minutes-tutorial/

peterpeterson
  • 1,315
  • 2
  • 14
  • 38