CHAPTER 11 – Example: Auth with DB and User Data

This example adds on to the previous example by using a database for user- name and password, and does not provide a custom login form. Instead, a built-in login form is used. In addition, you learn how to attach additional user-related information to the login session, and how to implement auto-expiring login sessions. To give you a better idea of how the login information is stored in the session, here is an example of Auth session data:

$_SESSION["_authsession"] = array( "data" => array(), "registered" => 1, "username" => "guest" "timestamp" => 1075642673, "idle" => 1075643017, ) The PHP session variable that holds the Auth session is always called _authsession. The keys within this array are shown in Table 11.5. Table 11.5 Auth Session Variables Key Name Description data This is where the user-provided Auth session data is stored. This could be set directly with setAuthData(), or loaded from the database when the db_field option to Auth_Container_DB is specified. registered Always set to TRUE when the user is logged in. username Holds the username. timestamp Contains time() when the user logged in. idle Contains time() of last session activity. Note: The password is not stored in the session. It does not have to be--the user is already authenticated. The session only contains information that was retrieved upon successful authentication, and some that is updated constantly after authentication (such as idle and, optionally, data).

This session array is just part of what goes behind the scenes; you never need to deal with it directly. Seeing it is useful to better understand how the Auth works. For example, to expire the user's login after N hours, Auth checks the timestamp session vari- able. In addition, to expire the user's login after N minutes of inactivity, Auth checks the idle session variable. Here is the code: <?php require_once 'DB.php'; require_once 'PEAR.php'; require_once 'Auth.php'; require_once 'HTML/QuickForm.php'; $auth_options = array( 'dsn' => 'mysql://test@localhost/test', 'table' => 'users', 'usernamecol' => 'username', 'passwordcol' => 'password', 'db_fields' => '*', ); PEAR::setErrorHandling(PEAR_ERROR_DIE); $auth = new Auth('DB', $auth_options, 'login_function'); $auth->start(); if (!$auth->getAuth()) { exit; } if (!empty($_REQUEST['logout'])) { $auth->logout(); print "<h1>Logged out</h1>n"; print "<a href="$_SERVER[PHP_SELF]">Log in again</a>n"; exit; } print "<h1>Logged in!</h1>n"; if (!empty($_REQUEST['dump'])) { print "<pre>_authsession = "; print_r($_SESSION['_authsession']); print "</pre>n"; } else { print "<a href="$_SERVER[PHP_SELF]?dump=1">Dump session</ a><br>n"; } print "<a href="$_SERVER[PHP_SELF]?logout=1">Log Out</a>n"; // --- execution ends here --- function login_function() { $form = new HTML_QuickForm('login', 'POST'); $form->addElement('text', 'username', 'User name:', 'size="10"'); $form->addRule('username', 'Please enter your user name!', 'required', null, 'client'); $form->addElement('password', 'password', 'Password:'); $form->addElement('submit', 'submit', 'Log In!'); $form->display(); exit; } One difference from the previous example is that a different Auth con- tainer (DB) is specified. The second parameter to the Auth constructor is con- tainer-specific, and in the case of Auth_Container_DB it contains an array with the DSN (data source name, DB's way of specifying a database to connect to), as well as which table and which fields in the table to use for looking up the username and password. By default, Auth_Container_DB expects to find the password MD5-encoded, but you may specify any function for encoding the submitted password before comparing to the database value.