/    Sign up×
Community /Pin to ProfileBookmark

How and when do I check that the user is logged in and valid?

I am trying to do a login procedure but after googling I am even more confused. My intention is to store valid users in a lookup database. This is no major problem at the login.

But once the user is logged in and validated, how do I know that the user is logged in?

  • 1. Should I store this info local cookie or in the server session? Or both?

  • 2. Should I check this cookie/session every time I call a new page?
  • Thanks in advance for any clue!

    to post a comment
    Full-stack Developer

    11 Comments(s)

    Copy linkTweet thisAlerts:
    @VITSUSAMay 29.2020 — First option will be good for you.
    Copy linkTweet thisAlerts:
    @NogDogMay 29.2020 — > @sibert#1618912
    >
  • 1. Should I store this info local cookie or in the server session? Or both?


  • Typically it's both: a cookie that includes a session ID, and then session data on the server side linked to that ID.

    >
  • 2. Should I check this cookie/session every time I call a new page?


  • Yes...if login is required for that page.
    Copy linkTweet thisAlerts:
    @sibertauthorMay 29.2020 — > @NogDog#1618932 Typically it's both: a cookie that includes a session ID, and then session data on the server side linked to that ID.

    I have tested with "local cookie" with some success. What is the purpose and use of "server session"?

    > @NogDog#1618932 Yes...if login is required for that page.

    So if it is a "confidential" web app. I have to "validate" each page?

    Thank you!
    Copy linkTweet thisAlerts:
    @NogDogMay 29.2020 — > @sibert#1618933 What is the purpose and use of "server session"?

    So that someone cannot simply reverse-engineer what's in the HTML/JavaScript and create a fake cookie -- the cookie must match the relevant data stored on the server pertaining to that session.

    > @sibert#1618933 I have to "validate" each page?

    You do if you want that page restricted to logged in users only. That validation may be that the identifier in the session cookie matches one in the session data on the server, and could include a check that the login is not more than X amount of time ago, and might verify other things in the HTTP headers, etc., depending on how important security is to your site. This is something you should find some good, trusted articles/tutorials on, not something that should be solved in a web forum.
    Copy linkTweet thisAlerts:
    @moltoviaxxMay 30.2020 — I am doing some moodle customization for my company's LMS and need to add a drop-down menu that is only visible to admins and managers. I the admin verification is easy with

    is_siteadmin()

    But is there an existing similar function to verify managers?

    Essentially what I'd like to write is a simple if statement.

    if(is_siteadmin() || is_manager()){}
    Copy linkTweet thisAlerts:
    @sibertauthorMay 30.2020 — > @moltoviaxx#1618954 But is there an existing similar function to verify managers?

    I am planning about the same. In my thoughts, there is two layers. The first layer is to verify if it is a valid user. The second layer (when logged in) is to figure out what you are authorized to do.

    Like "authorization templates" for different levels of access. Correct me if I am wrong.
    Copy linkTweet thisAlerts:
    @NogDogMay 30.2020 — If there are different use types, than that user's type would be stored as part of the session data on the server, and you could then use an if condition to test for it and either display the page or do whatever you choose to do for an unauthorized user. In PHP it might look like:
    <i>
    </i>&lt;?php
    session_start();
    if(empty($_SESSION['user_type']) or $_SESSION['user_type'] != 'admin') {
    // handle not authorized here
    exit; // make sure we don't do anything else
    }

    // rest of script...

    Obviously other languages/frameworks might look quite different, but the general logic should stay the same.
    Copy linkTweet thisAlerts:
    @sibertauthorMay 31.2020 — > @NogDog#1618964 If there are different use types, than that user's type would be stored as part of the session data on the server,

    I see three levels of "users". Temporary user cookie in the browser. Temporary user sessions on the server. And finally correspondent permanent users within the app database.

    Today I have a client-server solution with about 100 database tables. Grouped into about 20 access levels. This is today managed by admin using "authorization templates" for each user.

    In my thoughts I will continue to have users with correspondent access levels in the app database. So the access to any of these 20 groups are handled when you are logged in.

    But this may change when using a web front end...
    Copy linkTweet thisAlerts:
    @moltoviaxxMay 31.2020 — @sibert#1618958

    no ur not wrong thank u so much

    [url=https://kodi.software/][color=#000000]Kodi[/color][/url] [url=https://nox.tips/][color=#000000]nox[/color][/url]
    Copy linkTweet thisAlerts:
    @sibertauthorJun 22.2020 — > @NogDog#1618941 the cookie must match the relevant data stored on the server pertaining to that session

    I have managed to do this (I think). When the user logs in the password is checked against stored server information. Once logged in the status of the login session data is checked for each page.

    Will this be sufficient?

    http://94.237.92.101:3030/
    Copy linkTweet thisAlerts:
    @ZaborJun 24.2020 — Thanks for your recommendations!

    I had similar questions
    ×

    Success!

    Help @sibert spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 3.28,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,

    tipper: @Samric24,
    tipped: article
    amount: 1000 SATS,

    tipper: Anonymous,
    tipped: article
    amount: 10 SATS,
    )...