User Login Session and Cookie Configuration
Login Index |
Login reCAPTCHA Config |
Login Functions |
Login CAPTCHA Functions
Help with the Table Configuration
Show / Hide Help
Config Name: The name that flexi auth internally references the config setting by.
Default: The default value set within the config file.
Data Type: The data type that is expected by the config setting.
- bool : Requires a boolean value of 'TRUE' or 'FALSE'.
- string : Requires a textual value.
- int : Requires a numeric value. It does not matter whether the value is an integer, float, decimal etc.
- array : Requires an array.
- datetime : Requires a datetime value. Typically either a MySQL DATETIME (2000-12-31 12:00:00) or UNIX timestamp (1234567890)
Config File Location
The config file is located in CodeIgniters 'config' folder and is named 'flexi_auth.php'.
Schema Diagram : User Login Session Table
A database table schema diagram, showing how the user login session table is related to the primary user account table.
Note: Table and columns names are defined using their config names referenced within the config file. The names within brackets are the default demo names.
User Login Session Table
The user login session table is used to validate user login credentials.
For security purposes, if a users credentitals do not match those stored within the table, the user is automatically logged out.
The login session feature is based on a technique put forward by two articles by Charles Miller and Barry Jaspan.
Charles Miller's 'Best Practices' article.
Barry Jaspan's Improved Best Practices.
Table and Column Setup
Help
Config Name |
Default |
Data Type |
Description |
table |
user_login_sessions |
- |
The tables name. |
join |
user_login_sessions.usess_uacc_fk |
- |
The tables foreign key used to join with foreign keys of other tables. |
identifier |
usess_uacc_fk |
int |
Defines the user id that the login session is associated with. |
series |
usess_series |
string |
Defines an authentication token that was issued to a user who logged in using the 'Remember me' feature.
This is the 'series' token referred to by Barry Jaspan.
|
token |
usess_token |
string |
Defines an authentication token that is validated and then re-issued to a user everytime their login session is verified. |
date |
usess_login_date |
datetime |
Defines the date that the token(s) were issued. |
Notes
The user login session table should not be confused with the CodeIgniter session table name 'ci_sessions'.
The ci_sessions table is natively used by CodeIgniter to store and relate large amounts of data with a browser session.
Whilst the user login session table used by flexi auth specifically manages the authentication of tokens set by the library within a browser session.
If the tokens within the table and browser session do not match properly, the users login session is terminated.
Both of the tables are required by flexi auth to function properly.
Example
$config['database']['user_sess']['table'] = 'user_login_sessions';
$config['database']['user_sess']['join'] = 'user_login_sessions.usess_uacc_fk';
$config['database']['user_sess']['columns']['user_id'] = 'usess_uacc_fk';
User Login Session/Cookie Settings
Define how the library handles the behaviour of login sessions and cookies.
Table and Column Setup
Help
Config Name |
Data Type |
Default |
Description |
validate_login_onload |
bool |
true |
Set whether login details are validated on every page load.
true = Login credentials are validated against the database everytime a page is loaded, invalid users are logged out automatically.
false = Login credentials are validated only once at time of login and will not expire until CI sessions expire (Defined via CI config file).
|
login_session_expire |
int |
60*60*3 |
Set the lifetime of a user login session in seconds.
Example: 60*30 = 30 minutes, 60*60*24 = 1 day, 86400 = 1 day, 0 = Unlimited.
Setting the value as '0' would mean the session would not expire until CIs own session value (config['sess_expiration'] in CI config file) expired.
Note: Used when $config['security']['validate_login_onload'] = true
|
extend_login_session |
bool |
true |
Set whether a users login time is extended when their session token is validated (On every page load).
Note: Used when $config['security']['validate_login_onload'] = true
|
logout_user_onclose |
bool |
true |
Set whether a user is logged out as soon as the browser is closed.
Creates a cookie with a 0 lifetime that is deleted when the browser is closed.
This invalidates the users session the next time they visit the website as there is no longer a matching cookie.
Note: Used when $config['security']['validate_login_onload'] = true
|
unset_password_status_onclose |
bool |
true |
Set whether a user has their 'logged in via password' status removed as soon as the browser is closed.
If the user enabled the 'Remember me' feature on login, and their session is still valid, they will have a 'logged in via "Remember me"' status on their next visit.
If the user did not enable the 'Remember me' feature on login, they will be logged out on their next visit.
If this setting is not enabled, a user who has logged in via password will have the same login status if they close the browser and revisit the site before the login
session expires ('login_session_expire').
Creates a cookie with a 0 lifetime that is deleted when the browser is closed.
This invalidates the users session the next time they visit the website as there is no longer a matching cookie.
Note: Used when $config['security']['logout_user_onclose'] = false
|
user_cookie_expire |
int |
60*60*24*14 |
Set the lifetime of a users login cookies in seconds, this includes the 'Remember me' cookies.
Example: 60*60*24 = 24 hours, 60*60*24*14 = 14 days, 86400 = 1 day.
|
extend_cookies_on_login |
bool |
true |
Set whether a users 'Remember me' login cookies have their lifetime extended when their session token is validated.
|
Login Cookie and Session Settings
$config['security']['validate_login_onload'] = TRUE;
$config['security']['login_session_expire'] = 60*60*3;
$config['security']['extend_login_session'] = TRUE;
$config['security']['logout_user_onclose'] = TRUE;
$config['security']['unset_password_status_onclose'] = TRUE;
$config['security']['user_cookie_expire'] = 60*60*24*14;
$config['security']['extend_cookies_on_login'] = TRUE;
Session Names
flexi auth uses CI sessions to store and serve authentication data between pages loads.
All flexi auth session data is stored together within one session array, this helps maintain a tidy session structure.
If required, the name of each session within the flexi auth library can be defined.
$config['sessions']['name'] = 'flexi_auth';
$config['sessions']['user_identifier'] = 'user_identifier';
$config['sessions']['user_id'] = 'user_id';
$config['sessions']['is_admin'] = 'admin';
$config['sessions']['group'] = 'group';
$config['sessions']['privileges'] = 'privileges';
$config['sessions']['logged_in_via_password'] = 'logged_in_via_password';
$config['sessions']['login_session_token'] = 'login_session_token';
$config['sessions']['math_captcha'] = 'math_captcha';
Cookie Names
flexi auth uses cookies to store and serve authentication data for the next time a user visits the website.
If required, the name of each cookie within the flexi auth library can be defined.
$config['cookies']['user_id'] = 'user_id';
$config['cookies']['remember_series'] = 'remember_series';
$config['cookies']['remember_token'] = 'remember_token';
$config['cookies']['login_session_token'] = 'login_session_token';
$config['cookies']['login_via_password_token'] = 'login_via_password_token';