wrichards8 wrote:You should probably have the users' ID, from the database, in the session and then the username. Then you can check to see whether the user ID and the username match.
That could be easy to fake. Depending on setup of profile pages etc.
The way I chose to do this in the end was:
[syntax=php]public static function login($param1 = null,$password = null){
if(isset($param1,$password)){
$param1 = filter_var($email,FILTER_VARIABLE_EMAIL);
if($param1 === true){
$email = $param1;
$email = $dbh->quote($email);
$login_attempt = self::check_credentials('email', $email, $password);
if($login_attempt === true){
// login successful
$uniqid = uniqid();
$userid = self::getUserId($email);
$key = hmac_hash('sha256', $uniqid . $userid);
$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
$sth->execute();
$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
$sth->execute();
$_SESSION['ukey'] = $key;
$_SESSION['username'] = self::getUsername($userid);
return true;
} else {
return false;
}
} else {
$user = $param1;
$user = $dbh->quote($user);
$login_attempt = self::check_credentials('username',$user, $password);
if($login_attempt == true){
// login successful
$uniqid = uniqid();
$userid = self::getUserId($email);
$key = hmac_hash('sha256', $uniqid . $userid);
$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
$sth->execute();
$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
$sth->execute();
$_SESSION['ukey'] = $key;
$_SESSION['username'] = self::getUsername($userid);
return true;
} else {
return false;
}
}
} else {
return false;
}
} [/syntax]