User Guide | User Login Session and Cookie Configuration

The key concept of the flexi auth library is to give the developer a toolbox of functions that they can use to build a user authentication system matching the custom specifications required by their site.

One of the ways that the library enhances the customisation of the authentication system is by allowing many of the internal library settings to be defined by the developer via the libraries config file.

User Login Session and Cookie Configuration

Login Index | Login reCAPTCHA Config | Login Functions | Login CAPTCHA Functions

Help with the Table Configuration

Show / Hide Help

Config Name: The name that flexi auth internally references the config setting by.

Default: The default value set within the config file.

Data Type: The data type that is expected by the config setting.

  • bool : Requires a boolean value of 'TRUE' or 'FALSE'.
  • string : Requires a textual value.
  • int : Requires a numeric value. It does not matter whether the value is an integer, float, decimal etc.
  • array : Requires an array.
  • datetime : Requires a datetime value. Typically either a MySQL DATETIME (2000-12-31 12:00:00) or UNIX timestamp (1234567890)


Config File Location

The config file is located in CodeIgniters 'config' folder and is named 'flexi_auth.php'.

Schema Diagram : User Login Session Table

A database table schema diagram, showing how the user login session table is related to the primary user account table.

Note: Table and columns names are defined using their config names referenced within the config file. The names within brackets are the default demo names.

User Login Session Table

The user login session table is used to validate user login credentials.
For security purposes, if a users credentitals do not match those stored within the table, the user is automatically logged out.

The login session feature is based on a technique put forward by two articles by Charles Miller and Barry Jaspan.
Charles Miller's 'Best Practices' article.
Barry Jaspan's Improved Best Practices.


Table and Column Setup
Help
Config Name Default Data Type Description
table user_login_sessions - The tables name.
join user_login_sessions.usess_uacc_fk - The tables foreign key used to join with foreign keys of other tables.
identifier usess_uacc_fk int Defines the user id that the login session is associated with.
series usess_series string Defines an authentication token that was issued to a user who logged in using the 'Remember me' feature.
This is the 'series' token referred to by Barry Jaspan.
token usess_token string Defines an authentication token that is validated and then re-issued to a user everytime their login session is verified.
date usess_login_date datetime Defines the date that the token(s) were issued.
Notes

The user login session table should not be confused with the CodeIgniter session table name 'ci_sessions'.

The ci_sessions table is natively used by CodeIgniter to store and relate large amounts of data with a browser session. Whilst the user login session table used by flexi auth specifically manages the authentication of tokens set by the library within a browser session. If the tokens within the table and browser session do not match properly, the users login session is terminated.

Both of the tables are required by flexi auth to function properly.

Example
// Defining the table, join and column names.

$config['database']['user_sess']['table'] = 'user_login_sessions';
$config['database']['user_sess']['join'] = 'user_login_sessions.usess_uacc_fk';
$config['database']['user_sess']['columns']['user_id'] = 'usess_uacc_fk';

User Login Session/Cookie Settings

Define how the library handles the behaviour of login sessions and cookies.


Table and Column Setup
Help
Config Name Data Type Default Description
validate_login_onload bool true

Set whether login details are validated on every page load.

true = Login credentials are validated against the database everytime a page is loaded, invalid users are logged out automatically.

false = Login credentials are validated only once at time of login and will not expire until CI sessions expire (Defined via CI config file).

login_session_expire int 60*60*3

Set the lifetime of a user login session in seconds.

Example: 60*30 = 30 minutes, 60*60*24 = 1 day, 86400 = 1 day, 0 = Unlimited.
Setting the value as '0' would mean the session would not expire until CIs own session value (config['sess_expiration'] in CI config file) expired.

Note: Used when $config['security']['validate_login_onload'] = true

extend_login_session bool true

Set whether a users login time is extended when their session token is validated (On every page load).

Note: Used when $config['security']['validate_login_onload'] = true

logout_user_onclose bool true

Set whether a user is logged out as soon as the browser is closed.

Creates a cookie with a 0 lifetime that is deleted when the browser is closed.
This invalidates the users session the next time they visit the website as there is no longer a matching cookie.

Note: Used when $config['security']['validate_login_onload'] = true

unset_password_status_onclose bool true

Set whether a user has their 'logged in via password' status removed as soon as the browser is closed.

If the user enabled the 'Remember me' feature on login, and their session is still valid, they will have a 'logged in via "Remember me"' status on their next visit.
If the user did not enable the 'Remember me' feature on login, they will be logged out on their next visit.

If this setting is not enabled, a user who has logged in via password will have the same login status if they close the browser and revisit the site before the login session expires ('login_session_expire').

Creates a cookie with a 0 lifetime that is deleted when the browser is closed.
This invalidates the users session the next time they visit the website as there is no longer a matching cookie.

Note: Used when $config['security']['logout_user_onclose'] = false

user_cookie_expire int 60*60*24*14

Set the lifetime of a users login cookies in seconds, this includes the 'Remember me' cookies.

Example: 60*60*24 = 24 hours, 60*60*24*14 = 14 days, 86400 = 1 day.

extend_cookies_on_login bool true

Set whether a users 'Remember me' login cookies have their lifetime extended when their session token is validated.

Login Cookie and Session Settings
// Defining whether login details are validated on every page load.
$config['security']['validate_login_onload'] = TRUE;

// Defining the lifetime of a user login session in seconds.
$config['security']['login_session_expire'] = 60*60*3;
				
// Defining whether a users login time is extended when their session token is validated (On every page load).
$config['security']['extend_login_session'] = TRUE;

// Defining whether a user is logged out as soon as the browser is closed.
$config['security']['logout_user_onclose'] = TRUE;

// Defining whether a users 'logged in via password' status is removed as soon as the browser is closed.
$config['security']['unset_password_status_onclose'] = TRUE;

// Defining the lifetime of a users login cookies in seconds, this includes the 'Remember me' cookies.
$config['security']['user_cookie_expire'] = 60*60*24*14;

// Defining whether a users 'Remember me' login cookies have their lifetime extended when their 
// session token is validated.
$config['security']['extend_cookies_on_login'] = TRUE;

Session Names

flexi auth uses CI sessions to store and serve authentication data between pages loads.

All flexi auth session data is stored together within one session array, this helps maintain a tidy session structure.
If required, the name of each session within the flexi auth library can be defined.


// Auth Session Name.
// Set the root auth session name saved as an array in the CI session, 
// all other flexi auth session data is then stored within this array.
$config['sessions']['name'] = 'flexi_auth';

// Primary User Indentifier Session.
// Contains the $config['database']['settings']['primary_identity_col'] config column value.
// This value is then used to internally identify the user when performing CRUD functions.
$config['sessions']['user_identifier'] = 'user_identifier';

// User Account Data Sessions.
// Used for performing various CRUD functions.
$config['sessions']['user_id'] = 'user_id';
$config['sessions']['is_admin'] = 'admin';
$config['sessions']['group'] = 'group';
$config['sessions']['privileges'] = 'privileges';

// Login Via Password.
// Indicate whether the user logged in via entering a password or was logged in automatically  
// via the 'Remember me' function.
$config['sessions']['logged_in_via_password'] = 'logged_in_via_password';

// Login Session Token.
// The login session token is used to help validate a users login credentials against a stored database token.
// Note: Only used when "$config['security']['validate_login_onload'] = true" has been defined.
$config['sessions']['login_session_token'] = 'login_session_token';

// Math Captcha Flash Session.
// Used to store the answer of a math captcha question, this data is stored only in a CI flash session 
// and so will only be available on the next page and is then deleted.
$config['sessions']['math_captcha'] = 'math_captcha';

Cookie Names

flexi auth uses cookies to store and serve authentication data for the next time a user visits the website.
If required, the name of each cookie within the flexi auth library can be defined.


// 'Remember me' Cookies.
// Used to store 'Remember me' data to automatically log a user in next time they visit the website.
$config['cookies']['user_id'] = 'user_id';
$config['cookies']['remember_series'] = 'remember_series';
$config['cookies']['remember_token'] = 'remember_token';

// Login Session Cookie.
// The cookie login session token is used to invalidate a users login session when they close their 
// browser by deleting itself.
// Note: Only used when "config['security']['validate_login_onload'] = TRUE" and
// "$config['security']['logout_user_onclose'] = TRUE" have been defined.
$config['cookies']['login_session_token'] = 'login_session_token';

// Login Via Password Cookie.
// The login via password cookie token is used to invalidate a users 'logged in via password' status
// when they close their browser by deleting itself.
// Note: Only used when "config['security']['logout_user_onclose'] = FALSE" has been defined.
$config['cookies']['login_via_password_token'] = 'login_via_password_token';