PHP - Where to implement Session Logic in MVC? -


access application (in order)

  1. whitelist ip address
    • redirect 404 on invalid ip
  2. check if last activity > 2 hours ago
    • redirect login page , expire session
  3. check if user logged in, looking @ user data in $_session
    • redirect login page if not valid

index.php

(notice similar this question):

/**  * set timezone  */ date_default_timezone_set('zulu');  /**  * include globals , config files  */ require_once('env.php');  /*  * closure providing lazy initialization of db connection  */ $db = new database();  /*   * creates basic structures,   * used interaction model layer.  */ $servicefactory = new servicefactory(new repositoryfactory($db), new entityfactory); $servicefactory->setdefaultnamespace('\\myapp\\service');  $request = new request(); $session = new session(); $session->start(); $router = new router($request, $session);  /*  * whitelist ip addresses  */ if (!$session->isvalidip()) {     $router->import($whitelist_config);  /*  * check if session expired or invalid  */ } elseif (!$session->isvalid()) {     $router->import($session_config);  /*  * check if user logged in  */ } elseif (!$session->loggedin()) {     $router->import($login_config); } else {     $router->import($routes_config); }  /*  * find matched route, or throw 400 header.  *  * if matched route, add resource name   * , action request object.  */ $router->route();  /*   * initialization of view   */ $class = '\\myapp\\view\\' . $request->getresourcename(); $view = new $class($servicefactory);  /*  * initialization of controller  */ $class = '\\myapp\\controller\\' . $request->getresourcename(); $controller = new $class($servicefactory, $view);  /*  * execute necessary command on controller  */ $command = $request->getcommand(); $controller->{$command}($request);  /*  * produces response  */ echo $view->render(); 

the $router->import() function takes json file route configuration , creates routes (haven't decided if i'm going keep that). router modified version of klein.

my question

is proper implementation of how check session data?

i prefer check user data in session can found in database, need use service that, , services should accessed controller(?). wouldn't know controller send user since route configuration change if user logged in.

for example, if trying go www.myapp.com/orders/123, send them orders controller if logged in, or session controller (to render login page) if weren't.

i have read acl implementation this question. but, unless i'm mistaken, controlling access users logged in, not users aren't logged in. if not case, please explain how implement acl check this?

i appreciate since search answer has given me mixed solutions, , of them don't or don't seem clean solutions. session manager, i'm doing, pretending not to. =/

updated index.php (my solution)

/**  * set timezone  */ date_default_timezone_set('zulu');  /**  * include globals , config files  */ require_once('env.php');  /*  * closure providing lazy initialization of db connection  */ $db = new database();  /*   * creates basic structures,   * used interaction model layer.  */ $servicefactory = new servicefactory(new mapperfactory($db), new domainfactory); $servicefactory->setdefaultnamespace('\\myapp\\service');  include config_path.'routes.php';  $request = new request(); $router = new router($routes,$request);  /*  * find matched route.  *  * if matched route, add resource name   * , command request object.  */ $router->route();  $session = $servicefactory->create('session');  /*  * whitelist ip address, check if user   * logged in , session hasn't expired.  */ $session->authenticate();  /*  * access control list  */ include config_path.'acl_settings.php';  $aclfactory = new aclfactory($roles,$resources,$rules); $acl = $aclfactory->build();  $user = $session->currentuser(); $role = $user->role(); $resource = $request->getresourcename(); $command = $request->getcommand();  // user trying access unauthorized page if (!$acl->isallowed($role, $resource, $command) {     $request->setresourcename('session');     $request->setcommand('index');     if ($role === 'blocked') {         $request->setresourcename('error');     } }  /*   * initialization of view   */ $class = '\\myapp\\view\\' . $request->getresourcename(); $view = new $class($servicefactory, $acl);  /*  * initialization of controller  */ $class = '\\myapp\\controller\\' . $request->getresourcename(); $controller = new $class($servicefactory, $view, $acl);  /*  * execute necessary command on controller  */ $command = $request->getcommand(); $controller->{$command}($request);  /*  * produces response  */ $view->{$command} $view->render(); 

i start session , authorize user in session model. session's currentuser have role of 'guest' if not logged in, or 'blocked' if it's ip address not in whitelist. wanted implement controller wrapper suggested teresko's previous acl post, needed redirect user's instead. send them homepage (session#index) if try access page aren't allowed to, or error#index if blocked. session#index let view decide whether or not display homepage logged in user, or login page if aren't logged in (by checking user's role). maybe not best solution, doesn't seem terrible.

single responsibility

your session object doing many things. sessions more or less persistence across requests. session shouldn't doing authentication logic. store identifier logged in user in session, actual validation, logging in/out should done in authentication service.

route management

importing different routes based on users authentication status not scale , pain debug later when have lot more routes. better define routes in 1 place , use authentication service redirect if not authorized. i'm not familiar router looking @ documentation should able

$router->respond(function ($request, $response, $service, $app) {      $app->register('auth', function() {         return new authservice();     } }); 

then on routes need logged in can like

$router->respond('get', '/resource', function ($request, $response, $service, $app) {     if( ! $app->auth->authenticate() )         return $response->redirect('/login', 401);     // ... }); 

Comments

Popular posts from this blog

java - Custom OutputStreamAppender not run: LOGBACK: No context given for <MYAPPENDER> -

java - UML - How would you draw a try catch in a sequence diagram? -

c++ - No viable overloaded operator for references a map -