Do I need to add users ? (session->login problem)

Recommended Posts


Newbie question here.

I'm rebuilding my existing website with PW, it's a game where people can guess the winners of races.

I used to have a "players" table. Those are registered players, I used to identify them through their login/password, and when it matches, I give them access to the website. No rocket science.

So now with PW, I'm building my sign-up form and I'm trying to create a new session when a new user sign up.

I'm retrieving user/pass from the sign-up form which has been posted before but :

if($session->login($user, $pass)) {
    // login successful
    echo "failed";

... fails everytime.

Do I have to use something like :

$u = new User();
$u->name = "bill";
$u->pass = "billpwd";

... before doing a session->login('bill', 'billpwd') ?? (I've just checked, it works, so I guess this is the good way to do it ?)

I already have my players table so perhaps I can have the minimum in the PW's table and keep my players info in my historical table ?

... Or I can add all information I need into PW but I'd like to understand where it is stored.

Last question, if there is a PW matching between "user" and "session", I need to give to the session->login function the password not hashed. I'm using the password_hash php function, any problem with that ?




Share this post

Link to post
Share on other sites

I'm answering to myself to a part of the question :

I've just discovered by dumping all the DB that a user is stored like a page, in the "pages" table, which is not too convenient if I want to dump my users table I guess.

Share this post

Link to post
Share on other sites
On 1/16/2017 at 10:42 AM, Doc said:

... before doing a session->login('bill', 'billpwd') ?? (I've just checked, it works, so I guess this is the good way to do it ?)

The $session->login($user, $pass) is going to return a user object if the user exists and password is correct. Otherwise, the session call will fail. That's why creating the user before the login check works when registering the user. It's okay to build users on-the-fly as long as you sanitize and do your role/permission assignments, etc. If you have a separate login form from the registration form, use one to create and login the user while the other simply logins in. I don't think you'll need to use any extra hashing, PW will compare the hashed value of the supplied password to that stored in the database.

  • Like 3

Share this post

Link to post
Share on other sites

Thanks @Mindfull.

Actually I sanitize everything before creating the user, on the fly as you said. That wasn't obvious for me to have to create the user before the session login returns OK.

I won't add any extra hashing but I keep only the minimum info (username/password/email) on the PW DB and have another table to store everything I need for my players. Also it's easier to have all the player's information in one table for me, export is easier too.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By benbyf
      Strange question but I was wondering if it was possible to have more than one user with the same user name - or put in another way, allow the user to login with the same name but different passwords...?
    • By psy
      I've used this code on another site (same web host) and it all works fine.
      When a visitor lands on a page and they're not logged, the page name/path/url/httpUrl (tried them all) is saved to a session var. Code in _init.php is:
      $loginPage = pages( 1085); if(!$user->isLoggedin() && $page->id != $loginPage->id) { // not for login page $session->set('returnPage', $page->path); // results in /http404/ stored in session var // $session->set('returnPage', '/rants/'); // works fine $session->redirect($loginPage->url); } Code in the LoginRegister template:
      if($user->isLoggedin() && !$input->get('profile') && !$input->get('logout')) { // login and go back to the previous page or go to the home page $goToUrl = $session->get('returnPage') ? $session->get('returnPage') : '/'; var_dump($session->getAll()); die; $session->redirect($goToUrl); } else { // let the LoginRegister module have control $content = $modules->get('LoginRegister')->execute(); } This var_dump shows that the returnPage session variable is stored as the path to the 404 error page
      ["returnPage"]=> string(9) "/http404/" I also tried $page->id with the resulting var (int) 27 which is the 404 Page id.
      Also tried namespace in the session var...
      It all worked fine when I manually typed in a valid page path, ie only weirdness when I used the $page var.
      Any help to explain why this is happening and how to fix greatly appreciated.
    • By CarloC
      I'm using the LoginRegister module and I'm getting an internal server error when I try to login with a wrong password more than one time.
      I've found that the error comes from the SessionLoginThrottle.module, because, for security reasons, is better to prevent too many failed logins.
      Ok, good. But, am I wrong if I think it's too bad to show an Internal server error to the user instead of a simple error in template saying the user to wait X seconds to retry to login?
      Is there a way to do that? It would be great if I could get the error string and style it in the page the way I like.
      And in the SessionLoginThrottle admin configuration, I think that could be a good idea to be able to change the maximum number of login attempts before the error is shown.
    • By Robin S
      Password Generator
      Adds a password generator to InputfieldPassword.

      Install the Password Generator module.
      Now any InputfieldPassword has a password generation feature. The settings for the generator are taken automatically from the settings* of the password field.
      *Settings not supported by the generator:
      Complexify: but generated passwords should still satisfy complexify settings in the recommended range. Banned words: but the generated passwords are random strings so actual words are unlikely to occur.
    • By eutervogel
      On my website the user is able to choose between to styles of a gallery. A gridview and a stripe view.
      I want to store the choice during the whole session. 
      So if the user chooses a style I do it like so:
      $query = $_GET['view'];     if($query){         $session->set('view', $query);     } So that's working pretty fine, but after a random number of menuclicks or reloads its gone. Sometimes it is stored for 10 -15 pageloads and sometimes it's gone after 2 loads,
      Lifetime is set to 3600 in php.ini
      session.gc_maxlifetime = 3600  
      This is how I look if it exists:   
       if($session->view == 'grid'){         include('album-grid-title.php');         $session->set('view', $query);     }     elseif($session->view == 'stripes'){         include('album-stripes.php');         $session->set('view', $query);     }     else{         include('album-stripes.php');            }  
      Can anyone point me in the right direction and tell me what I'm doing wrong or why $session gets lost?
      Thanks in advance