A few months ago i threw myself into the world of OOP. I've done a few classes since, but this was my first attempt for something that I'm actually going to use on one (and hopefully my future) projects. I'm aware that my OOP design-theory isn't the best. I would like feedback on possible improvements on methods, possible security flaws, and performance issues (are there any obvious resource hogs?).
Code: Select all
<?php
/** class Auth **/
# Description = Authentication module for users.
# Dependancy = class.MySQL
# Last modified = 23 Januari
require_once('lib/class.MySQL.php');
class Auth {
private $userName;
private $pwd;
private $user_ip;
/* the db object */
private $db;
/* the user id if authenticated */
private $user_id;
/* timestamp to check inactivity */
private $time_stamp;
/* User session id */
private $session_id;
/**
* Constructor
*/
function __construct($userName=false, $pwd=false) {
/* Intitialize db class */
$this->db = new DB(DB_HOST, DB_USER, DB_PASS, DB_NAME);
/* escape username, password is hashed no need for escaping */
$this->userName = $this->db->escape($userName);
$this->pwd = $pwd;
/* Get usersc current IP (needs to be escaped?) */
$this->user_ip = $this->db->escape($_SERVER['REMOTE_ADDR']);
$this->time_stamp = time();
$this->session_id = $this->db->escape(session_id());
$this->user_id = $_SESSION['user_id'];
}
/**
* method: authenticate
*
* This method is called when a user tries to login
* Prints error on fail
* Logs user in on success
*/
public function authenticate(){
/* To prevent login flood */
if(!isset($_SESSION['loginTries'])) {
$_SESSION['loginTries'] = 0;
}
else
{
$_SESSION['loginTries']++;
}
if($_SESSION['loginTries'] > 10) {
$_SESSION['error']['tries'] = "För många försök. Spärrat.";
}
/* check that username is entered */
elseif(empty($this->userName))
{
$_SESSION['error']['userName'] = "Fyll i användarnamn.";
}
/* check that password is entered */
if(empty($this->pwd))
{
$_SESSION['error']['pwd'] = "Fyll i lösenord.";
}
/* If no error, proceed to check user input against database */
else {
/* Hash the password */
$this->pwd = bin2hex(mhash(MHASH_SHA256, $this->pwd));
/* Look for db matches. */
$result = $this->db->query("SELECT user_id, activation FROM user_auth WHERE user='$this->userName' AND pass='$this->pwd'");
/* If there is no match */
if($result->length() == 0)
{
$_SESSION['error']['incorrect'] = "Felaktig inloggning";
}
/* if there is a match reset login tries. Check if the activation field in the user db is empty, if not it means that the uer
has not activated his/hers account */
else
{
unset($_SESSION['loginTries']);
$activation = $result->activation;
$this->user_id = $result->user_id;
if(!empty($activation))
{
$_SESSION['error']['notActivated'] = 'Konto ej aktiverat';
}
else
{
/* If everything is alright, proceed with login */
$this->doLogin();
}
}
}
}
private function doLogin() {
/* Cookie for the input field on login page to remember username */
setcookie("lastUser", $this->userName, time() + (364 * 24 * 60 * 60),"/");
/* Make sure the user can't use multiple clients. */
$this->db->query("DELETE from user_session WHERE user_id='$this->user_id'");
/* Create user session in db */
$this->db->query("INSERT INTO user_session (session_id, user_id, user_ip, time_stamp) VALUES
('$this->session_id','$this->user_id','$this->user_ip','$this->time_stamp')");
/* Initialize session variables */
$_SESSION['user_id'] = $this->user_id;
$_SESSION['userName'] = $this->userName;
/*redirect to users profile page (website.com/user) */
header("Location: /$this->userName");
exit;
}
/**
* method: ReAuthenticate
*
* Runs on every page where user authentication is required.
* Returns true or false depending if user is logged in or not
*/
public function reAuthenticate(){
/* Proceed only if session user_id is set */
if(isset($_SESSION['user_id']))
{
/* Timeout value for inactive users (5) minutes */
$timeout = $this->time_stamp - 300;
$this->db->query("DELETE from user_session WHERE time_stamp < '$timeout'");
/* Check if user is really logged in, and that user ip and session id has not changed */
$result = $this->db->query("SELECT user_id FROM user_session WHERE session_id='$this->session_id' AND user_ip='$this->user_ip' AND user_id='$this->user_id'");
if($result->length() == 0)
{
$this->logout();
return FALSE;
}
else
{
/* Update user time stamp because user is active */
$this->db->query("UPDATE user_session SET time_stamp = '$this->time_stamp' WHERE user_id='$this->user_id'");
return TRUE;
}
}
else
{
return FALSE;
}
}
public function logout() {
/* Remove user session from DB And delete session variables*/
$this->db->query("DELETE from user_session WHERE user_id='$this->user_id'");
session_unset();
header('Location: /');
exit;
}
}
?>
thanks
/Daniel