ErkanaAuth: A non-invasive user authentication library

[eluser]flosaurus[/eluser]
Thank you Mickael.

Another question an pardon me for my "so little experience" on sessions, authentication process and php in general but just to make sure to understand, why do you check on the
try_session_login() if there is a session with an user_id corresponding to someone in the user table ?

my question might be dumb but once again i am quite new to this...

if i understand, every time i want to display the username on a page, i have to make 2 queries ? one on the session table and one on the user table ?


Thank you for help

[eluser]Michael Wales[/eluser]
tomcode

Doesn’t he need to include the Public_Controller/Admin_Controller ?

No, both of those classes are included within /application/library/MY_Controller.php, which is autoloaded if it exists. No need to include() or require() it, CI takes care of it.

kermik

What’s the benefit of putting that code in MY_Controller?

As tomcode said - it makes it reusable. Sure, you could place that code within the __construct() of each class, but then you would have to do it for every class. This way you can accomplish the same with simply an extra 10 characters.

A more useful setup, and the one I normally use, includes 3 classes: Public_Controller (no login required, user data available if logged in), Auth_Controller (login required, user data available), and Admin_Controller (login required, admin identifier required (usually a database field), and user data available).

flosaurus

Another question an pardon me for my “so little experience” on sessions, authentication process and php in general but just to make sure to understand, why do you check on the
try_session_login() if there is a session with an user_id corresponding to someone in the user table ?

I believe you are looking at an older version of the code (check out this post for my newest release). I will try to form my response around that release.

Firstly, ErkanaAuth is developed assuming you are using CI's Native Session class. It will work with any session class that extends/overwrites the native, but the logic behind some of it's methods have the native class in mind.

With the native class, your data isn't really stored in the database, even if you choose to use the database. Only the data that CI places within the session automatically is stored in the database - all of your custom data still goes into a cookie.

So, if you want to get some data on the currently logged in user - we'll need to get his ID. Luckily for us, ErkanaAuth took care of that. When we tried to log the user in (using try_login()) - if it was successful, ErkanaAuth placed the user's id within the 'user_id' session variable.

So, the following code (which you will find something similar within my Public_Controller and my Admin_Controller) returns a record for the currently logged in user:

Code:

$user = $this->auth->get_user($this->session->userdata('user_id'));

The get_user() function is flexible though, and can be used for all user's - not just the logged in user. Let's say we have a series of posts, and each post has an author_id value. We need to get that author's username (and we weren't smart enough to use a JOIN query - lol - it's an example, get over it). Here's how that code would look:

Code:

// This imaginary method returns an object of objects, containing my posts
$posts = $this->posts->get_all();
foreach ($posts as $post) {
  $author = $this->auth->get_user($post->author_id);
  echo 'Post Author is: ' . $author->username;
}

So, all in all, yes - if you are using a class that stores the entire session within the database. Yes, you will end up querying the database twice if you call get_user() passing a session based ID.

If you are doing that, the only way I can see to reduce your queries is to:
1) Store all of the user's data within the session table - a bad idea - and then modify ErkanaAuth to use that rather than the users table.
2) Extend the session class you are using to JOIN with the users upon selection of the id field.

Honestly, I don't think it's that big of a deal. You should only be calling get_user() once per method for the currently logged in user, so you are merely adding one more database call as overhead (the call to retrieve the user_id from session). If you are calling get_user() more than once, you can definitely refactor your code to eliminate that or even establish a class variable within the parent controllers (the ones that extend Controller) to store the session-based user_id. Then, pass the class variable to get_user() rather than the session call.

You would still have one extra database call, as overhead, but it wouldn't be 2 calls each time you are calling get_user().

[eluser]tomcode[/eluser]
Thanks Michel, I didn't read carefully enough.

application/libraries/MY_Controller.php

Edit 17. january:
Had only now time to try Your surfin' the class hierarchy. This is really hot stuff. Thank You man, my controllers look really empty now.

It's a pleasure to follow this thread.

[eluser]flosaurus[/eluser]
Thanks a lot michael !
I'll stick to your new example and use CI native sessions without database but encrypted cookies.
Is it enough secure for a small web app ?


I i understand the process to display the user name (if logged) on a front page i should do like that ?

Controller : welcome.php

Code:

<?php
class Welcome extends Public_Controller {

  function __construct() {
    parent::Public_Controller();
    $this->output->enable_profiler(TRUE);
  }

  function index() {
    if($this->data->user == true) {
    $this->data->display_name = $this->data->user->first_name . ' ' . $this->data->user->last_name;
    }
    $this->load->view('welcome_message',$this->data);
    
    return;
  }
}

?>

View : welcome_message.php

Code:

<?php
if(isset($display_name)) {
?>
<p>Welcome, &lt;?= $display_name; ?&gt;. </p>
&lt;?php
}
?&gt;

It should show the welcome message when logged and nothing when not logged

Thanks you for your help

[eluser]Michael Wales[/eluser]
That looks pretty good flo - one thing I would look out for is the following line in your code:

Code:

if($this->data->user == true) {

I'm pretty sure PHP will evaluate this as you expect but logically it's an invalid statement.

$this->data->user will either be an object, containing user information (if that user exists) or FALSE. So, to be absolutely correct within your code (and avoid any obscure PHP screw-ups), test for FALSE.

Use the code below:

Code:

function index() {
  // Test for an explicit FALSE (not 0, not unset, only FALSE)
  if ($this->data->user !== FALSE) {
    // We've added first_name and last_name columns to the users table, and since we have a user
    // that data is now in the $this->data->user object. Let's get their full name so we can show
    // it to them.
    $this->data->display_name = $this->data->user->first_name . ' ' . $this->data->user->last_name;
  }
  // Pass the data object to the view
  $this->load->view('welcome_message', $this->data);
  return;
}

[eluser]Kemik[/eluser]
Is it worth me starting to use this now or will you be releasing the edited/updated version soon?

Thanks

[eluser]Michael Wales[/eluser]
Kemik: If you want to use the latest version, that I use on all of my projects, see this post.

I don't see where I will be performing any more updates to this library - it works perfectly for me and I can't think of anything else I would want in it.

[eluser]hotmeteor[/eluser]
Hey Michael

This is a fantastic library. However, I'm having some bizarre issue where it won't load the library?! I've copied and pasted both your auth.php library and your MY_Controller.php, but I keep getting this error:

Code:

Fatal error: Call to undefined function get_user() in <my-application-location>/system/application/libraries/MY_Controller.php on line 6

Any ideas? I've tried both auto-loading it as well as calling it in place.

[eluser]Michael Wales[/eluser]
Ensure that the function is in-fact called get_user() within auth.php. There are some versions floating around that use getUser() - I renamed this function later on to comply with the EE development standards.

I'll be posting a complete package of my standard development suite on my blog tonight - which will include the following:
- Asset Helper
- xHTML Helper
- Auth Library
- MY_Validation
- MY_Controller

[eluser]Michael Wales[/eluser]
As promised, my CodeIgniter Development Pack has been posted.