Jens Segers on

Codeigniter authentication library 2/3

Generating a personal authentication token

We will generate a unique personal authentication token that will tell us whether the user is logged in or not. To do so we will use the hash_hmac function to get our token:

private function generate_token($id) {
    $key = hash_hmac('sha512', $id, $this->secret_key);
    $token = hash_hmac('sha512', $id, $key);
    
    return $token;
}

The first stage of generating our token is creating a key that is unique for each user using the same hash_hmac function. This key is generated using the user id and a global secret key constant. This key is then used to generate the final authentication token by combining the previous key and personal information about the user such as the id or the hashed user password.

The code above only uses the user id to generate the token. You can extend the code to use both the id and password. If a user then changes his password the cookie will automatically expire.

###Validating the cookie

private function verify_cookie() {
    $content = $this->CI->input->cookie($this->cookie_name);

    if ($content) {            
        list($id, $token) = explode('|', $content);
        $hmac = $this->generate_token($id);
           
        return $hmac == $token;
    }
    return FALSE;
}

This function reads the cookie content (if possible) and compares it with the re-generated token. If the cookie token is equal to the new generated token the user is logged in.

Further implementation

To complete the library we need a couple more functions. These are the functions that will manipulate the cookie's content.

private function create_cookie($id, $remember = FALSE) {
    $this->CI->load->helper('cookie');
    $cookie = array('name' => $this->cookie_name,
                    'value' => $id . '|' . $this->generate_token($id),
                    'domain' => $this->cookie_domain,
                    'path' => $this->cookie_path);
       
    if ($remember)
        $cookie['expire'] = $this->cookie_long;
    else
        $cookie['expire'] = $this->cookie_short;
        
    set_cookie($cookie);
}

private function delete_cookie() {
    $this->CI->load->helper('cookie');
    $cookie = array('name' => $this->cookie_name,
                    'value' => '',
                    'expire' => '',
                    'domain' => $this->cookie_domain,
                    'path' => $this->cookie_path);
    set_cookie($cookie);
}

You can use these functions when the user logs in or logs off. The functions use some parameters that are defined within the authentication library or in a config file. The create_cookie function has an extra remember parameter that will result in a cookie with an expire time that is associated with cookie_long and cookie_short otherwise.

Using Codeigniter's cookie helper is definitely not necessary but I used it to have a nice overview of all the parameters.

Part 3

Read the next part by clicking here

Webmentions

Tweet about this blog post and you will appear below!