We now have a user class that lets us maintain users. How do we let these users login or create an account? And once they're logged in, how do we keep track of who they are in a way that prevents them from pretending to be someone else?
The start page presents a simple form letting the user enter their email address
and a password. If they are a new user, this will be used to create an account, otherwise
it will be used to login to their account.
The code to login/create a user is as follows:
// attempt to login/create account
if ( ($f_email_address != "") and ($f_password != "") ) {
$l_user = new remindme_user($f_email_address);
if ($l_user->isValidUser()) {
if ($l_user->verifyPassword($f_password)) {
// username and password match, login
$SUID = $l_user->getUserID();
$STOKEN = md5($SUID . $g_md5_random_string);
} else
$l_error = "You entered the wrong password for that email address.";
} else {
$l_user->setUserEmail($f_email_address);
$l_user->setUserPassword($f_password);
$l_user->update();
if ($l_user->isValidUser()) {
$SUID = $l_user->getUserID();
$STOKEN = md5($SUID . $g_md5_random_string);
} else
$l_error = "There was an error creating your account.";
}
} else
$l_error = "You must enter both an email address and a password.";
The variables $f_email_address and $f_password are the form variables created when the user submits the login form.
$l_user = new remindme_user($f_email_address);
Traditionally, I've made a lot of use of the setcookie command in PHP to record the user's identity once they've logged in. For this project I've decided to learn the built-in session handling capabilities of PHP. The session management in PHP can be set to use either cookies or GET variables that are passed from page to page, so it is more robust than just using cookies.
I've chosen to add code to each page using the prepend.php file that will determine if the current user is logged in or not. To do this I created a new file, check_login.php, and added it to the list of required files in prepend.php.
This file checks the current session variables to determine if the user is logged in, and sets a global boolean variable ($g_logged_in) to reflect the logged in state.
The code for the check_login.php page is:
session_start();
session_register("STOKEN");
session_register("SUID");
// check for logged in
if (($STOKEN != "") and ($SUID != "")) {
// check to see if the userid and the token match
if ( $STOKEN != md5($SUID . $g_md5_random_string) )
$g_logged_in = FALSE;
else
$g_logged_in = TRUE;
} else
$g_logged_in = FALSE;
The session_start() command indicates to PHP that we want to start/resume
session management on this page.
The session_register() command in PHP is used to identify which
variables you want to persist from one PHP page to the next, thus preserving state. As mentioned
in the previous section, two variables are set when a user logs in, $SUID and $STOKEN.
You may have been wondering why we need two variables. After all, the $SUID variable is set to the user id, which should be enough to identify the user. You're right, it is. However, if we only use the $SUID variable, there is nothing to prevent a user from modifying the value that variable contains by manually editing their cookie. Within a few seconds a user could become any other user in the system.
That's where the $STOKEN variable comes in. We concatenate the user_id with a unique string that is only known to us ($g_md5_random_string, specified in local.php), and then apply the md5() encryption function, which is a one-way encryption. To verify that the $SUID variable contains the correct value, we perform the md5() conversion again, and compare the two encrypted results. If they are different, someone is trying to impersonate a different user. Thanks to phpbuilder.com for this method.