PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Your code looks to be doing everything right as far as authentication goes. Maybe you have a problem with cookies? (session ids are kept in cookies)
Also, take notice that it is unrecommended to store the password in the session (and neither is storing it in clear text in the database).
You can prevent the result object from storing the password by passing a couple of arguments to the getResultRowObject method
That's the whole point of storing the identity in the session - if the user has identity, he has already been authenticated. Of course you need to watch out for the usual attacks such as identity theft and cross-site scripting, but storing the password in the session is even worse - it allows an attacker than gains control of it to authenticate himself as the user he stole the password from.
You're right, I was still too focused on the way I did it previously (using cookies with hashed username+pass). I'll check if I'll stay logged in when I'm not re-authenticating on every page load.
Unfortunately, I'm still being logged out if I don't reload the page every x hours... I would like to keep the session active for as long as I don't close my browser. Even if the PC goes in standby mode, as long as IE or FF has the tab open, it should not log me out. Is there another setting I forgot about? Any ideas?
I've done some more testing... Is it possible that having multiple tabs open is causing me to be logged out? Could this be a side-effect of calling RememberMe() which triggers regenerateId()?
If you are only logging in one, that shouldn't be a problem - the session applies to all the tabs of the browser. Don't perform separate logins in different tabs, simply refresh the browser after logging in in another tab.
Are you storing the sessions in the database or as files? I would guess they are being destroyed on the server side by the garbage collection routine. Storing them (the sessions) in the database can avoid this problem.
Storing the sessions in the database kind of defeats the purpose, no? The whole idea is have some limited persistence without hitting the database with queries.
Deciding where to store sessions is really dependent on specific requirements. If timeouts or multiple servers are involved, writing them to the file system doesn't really work. If heavy traffic is involved, witting them to the database becomes impractical. At that point you can start looking into alternative solutions such as memcache.