- User Guide Home
- Installation
-
Auth Configuration
- Internal Auth Config
- General Settings
- Session / Cookie Settings
- Validation / Security Settings
- Email Settings
- Status / Error Messages
- Define Language
- Database Tables and Columns
- Primary User Account Table
- Custom User Account Tables
- User Group Table
- User Privilege Table
- User Privilege Users Table
- User Privilege Groups Table
- User Login Session Table
-
Functions List
- Login / Validation
- Login / Captcha Functions
- Validation Functions
- User Functions
- User Account Functions
- User Group Functions
- User Privilege Functions
- Utility Functions
- Email Functions
- Status / Error Messages
- Customising SQL Statements
- Change Log
User Guide | User Login Session and Cookie Configuration
The key concept of the flexi auth library is to give the developer a toolbox of functions that they can use to build a user authentication system matching the custom specifications required by their site.
One of the ways that the library enhances the customisation of the authentication system is by allowing many of the internal library settings to be defined by the developer via the libraries config file.
User Login Session and Cookie Configuration
Login Index | Login reCAPTCHA Config | Login Functions | Login CAPTCHA FunctionsConfig Setup Information
Table and Config File Settings
User Login Session Table | User Login Session/Cookie Settings | Session Names | Cookie Names
Help with the Table Configuration
Show / Hide HelpConfig Name: The name that flexi auth internally references the config setting by.
Default: The default value set within the config file.
Data Type: The data type that is expected by the config setting.
- bool : Requires a boolean value of 'TRUE' or 'FALSE'.
- string : Requires a textual value.
- int : Requires a numeric value. It does not matter whether the value is an integer, float, decimal etc.
- array : Requires an array.
- datetime : Requires a datetime value. Typically either a MySQL DATETIME (2000-12-31 12:00:00) or UNIX timestamp (1234567890)
Config File Location
The config file is located in CodeIgniters 'config' folder and is named 'flexi_auth.php'.
Schema Diagram : User Login Session Table
A database table schema diagram, showing how the user login session table is related to the primary user account table.
Note: Table and columns names are defined using their config names referenced within the config file. The names within brackets are the default demo names.
User Login Session Table
The user login session table is used to validate user login credentials.
For security purposes, if a users credentitals do not match those stored within the table, the user is automatically logged out.
The login session feature is based on a technique put forward by two articles by Charles Miller and Barry Jaspan.
Charles Miller's 'Best Practices' article.
Barry Jaspan's Improved Best Practices.
Table and Column Setup
Help| Config Name | Default | Data Type | Description |
|---|---|---|---|
| table | user_login_sessions | - | The tables name. |
| join | user_login_sessions.usess_uacc_fk | - | The tables foreign key used to join with foreign keys of other tables. |
| identifier | usess_uacc_fk | int | Defines the user id that the login session is associated with. |
| series | usess_series | string |
Defines an authentication token that was issued to a user who logged in using the 'Remember me' feature. This is the 'series' token referred to by Barry Jaspan. |
| token | usess_token | string | Defines an authentication token that is validated and then re-issued to a user everytime their login session is verified. |
| date | usess_login_date | datetime | Defines the date that the token(s) were issued. |
Notes
The user login session table should not be confused with the CodeIgniter session table name 'ci_sessions'.
The ci_sessions table is natively used by CodeIgniter to store and relate large amounts of data with a browser session. Whilst the user login session table used by flexi auth specifically manages the authentication of tokens set by the library within a browser session. If the tokens within the table and browser session do not match properly, the users login session is terminated.
Both of the tables are required by flexi auth to function properly.
Example
// Defining the table, join and column names.
$config['database']['user_sess']['table'] = 'user_login_sessions';
$config['database']['user_sess']['join'] = 'user_login_sessions.usess_uacc_fk';
$config['database']['user_sess']['columns']['user_id'] = 'usess_uacc_fk';
User Login Session/Cookie Settings
Define how the library handles the behaviour of login sessions and cookies.
Table and Column Setup
Help| Config Name | Data Type | Default | Description |
|---|---|---|---|
| validate_login_onload | bool | true |
Set whether login details are validated on every page load. true = Login credentials are validated against the database everytime a page is loaded, invalid users are logged out automatically. false = Login credentials are validated only once at time of login and will not expire until CI sessions expire (Defined via CI config file). |
| login_session_expire | int | 60*60*3 |
Set the lifetime of a user login session in seconds.
Example: 60*30 = 30 minutes, 60*60*24 = 1 day, 86400 = 1 day, 0 = Unlimited. Note: Used when |
| extend_login_session | bool | true |
Set whether a users login time is extended when their session token is validated (On every page load). Note: Used when |
| logout_user_onclose | bool | true |
Set whether a user is logged out as soon as the browser is closed.
Creates a cookie with a 0 lifetime that is deleted when the browser is closed. Note: Used when |
| unset_password_status_onclose | bool | true |
Set whether a user has their 'logged in via password' status removed as soon as the browser is closed.
If the user enabled the 'Remember me' feature on login, and their session is still valid, they will have a 'logged in via "Remember me"' status on their next visit. If this setting is not enabled, a user who has logged in via password will have the same login status if they close the browser and revisit the site before the login session expires ('login_session_expire').
Creates a cookie with a 0 lifetime that is deleted when the browser is closed. Note: Used when |
| user_cookie_expire | int | 60*60*24*14 |
Set the lifetime of a users login cookies in seconds, this includes the 'Remember me' cookies. Example: 60*60*24 = 24 hours, 60*60*24*14 = 14 days, 86400 = 1 day. |
| extend_cookies_on_login | bool | true |
Set whether a users 'Remember me' login cookies have their lifetime extended when their session token is validated. |
Login Cookie and Session Settings
// Defining whether login details are validated on every page load. $config['security']['validate_login_onload'] = TRUE; // Defining the lifetime of a user login session in seconds. $config['security']['login_session_expire'] = 60*60*3; // Defining whether a users login time is extended when their session token is validated (On every page load). $config['security']['extend_login_session'] = TRUE; // Defining whether a user is logged out as soon as the browser is closed. $config['security']['logout_user_onclose'] = TRUE; // Defining whether a users 'logged in via password' status is removed as soon as the browser is closed. $config['security']['unset_password_status_onclose'] = TRUE; // Defining the lifetime of a users login cookies in seconds, this includes the 'Remember me' cookies. $config['security']['user_cookie_expire'] = 60*60*24*14; // Defining whether a users 'Remember me' login cookies have their lifetime extended when their // session token is validated. $config['security']['extend_cookies_on_login'] = TRUE;
Session Names
flexi auth uses CI sessions to store and serve authentication data between pages loads.
All flexi auth session data is stored together within one session array, this helps maintain a tidy session structure.
If required, the name of each session within the flexi auth library can be defined.
// Auth Session Name. // Set the root auth session name saved as an array in the CI session, // all other flexi auth session data is then stored within this array. $config['sessions']['name'] = 'flexi_auth'; // Primary User Indentifier Session. // Contains the $config['database']['settings']['primary_identity_col'] config column value. // This value is then used to internally identify the user when performing CRUD functions. $config['sessions']['user_identifier'] = 'user_identifier'; // User Account Data Sessions. // Used for performing various CRUD functions. $config['sessions']['user_id'] = 'user_id'; $config['sessions']['is_admin'] = 'admin'; $config['sessions']['group'] = 'group'; $config['sessions']['privileges'] = 'privileges'; // Login Via Password. // Indicate whether the user logged in via entering a password or was logged in automatically // via the 'Remember me' function. $config['sessions']['logged_in_via_password'] = 'logged_in_via_password'; // Login Session Token. // The login session token is used to help validate a users login credentials against a stored database token. // Note: Only used when "$config['security']['validate_login_onload'] = true" has been defined. $config['sessions']['login_session_token'] = 'login_session_token'; // Math Captcha Flash Session. // Used to store the answer of a math captcha question, this data is stored only in a CI flash session // and so will only be available on the next page and is then deleted. $config['sessions']['math_captcha'] = 'math_captcha';
Cookie Names
flexi auth uses cookies to store and serve authentication data for the next time a user visits the website.
If required, the name of each cookie within the flexi auth library can be defined.
// 'Remember me' Cookies. // Used to store 'Remember me' data to automatically log a user in next time they visit the website. $config['cookies']['user_id'] = 'user_id'; $config['cookies']['remember_series'] = 'remember_series'; $config['cookies']['remember_token'] = 'remember_token'; // Login Session Cookie. // The cookie login session token is used to invalidate a users login session when they close their // browser by deleting itself. // Note: Only used when "config['security']['validate_login_onload'] = TRUE" and // "$config['security']['logout_user_onclose'] = TRUE" have been defined. $config['cookies']['login_session_token'] = 'login_session_token'; // Login Via Password Cookie. // The login via password cookie token is used to invalidate a users 'logged in via password' status // when they close their browser by deleting itself. // Note: Only used when "config['security']['logout_user_onclose'] = FALSE" has been defined. $config['cookies']['login_via_password_token'] = 'login_via_password_token';
Copyright © 2024, Rob Hussey, All Rights Reserved.
flexi auth was designed and developed by
