PHP - Where to implement Session Logic in MVC? -

-

access application (in order)

  1. whitelist ip address
    • redirect 404 on invalid ip
  2. check if last activity > 2 hours ago
    • redirect login page , expire session
  3. check if user logged in, looking @ user data in $_session
    • redirect login page if not valid

index.php

(notice similar this question):

/**  * set timezone  */ date_default_timezone_set('zulu');  /**  * include globals , config files  */ require_once('env.php');  /*  * closure providing lazy initialization of db connection  */ $db = new database();  /*   * creates basic structures,   * used interaction model layer.  */ $servicefactory = new servicefactory(new repositoryfactory($db), new entityfactory); $servicefactory->setdefaultnamespace('\\myapp\\service');  $request = new request(); $session = new session(); $session->start(); $router = new router($request, $session);  /*  * whitelist ip addresses  */ if (!$session->isvalidip()) {     $router->import($whitelist_config);  /*  * check if session expired or invalid  */ } elseif (!$session->isvalid()) {     $router->import($session_config);  /*  * check if user logged in  */ } elseif (!$session->loggedin()) {     $router->import($login_config); } else {     $router->import($routes_config); }  /*  * find matched route, or throw 400 header.  *  * if matched route, add resource name   * , action request object.  */ $router->route();  /*   * initialization of view   */ $class = '\\myapp\\view\\' . $request->getresourcename(); $view = new $class($servicefactory);  /*  * initialization of controller  */ $class = '\\myapp\\controller\\' . $request->getresourcename(); $controller = new $class($servicefactory, $view);  /*  * execute necessary command on controller  */ $command = $request->getcommand(); $controller->{$command}($request);  /*  * produces response  */ echo $view->render();

the $router->import() function takes json file route configuration , creates routes (haven't decided if i'm going keep that). router modified version of klein.

my question

is proper implementation of how check session data?

i prefer check user data in session can found in database, need use service that, , services should accessed controller(?). wouldn't know controller send user since route configuration change if user logged in.

for example, if trying go www.myapp.com/orders/123, send them orders controller if logged in, or session controller (to render login page) if weren't.

i have read acl implementation this question. but, unless i'm mistaken, controlling access users logged in, not users aren't logged in. if not case, please explain how implement acl check this?

i appreciate since search answer has given me mixed solutions, , of them don't or don't seem clean solutions. session manager, i'm doing, pretending not to. =/

updated index.php (my solution)

/**  * set timezone  */ date_default_timezone_set('zulu');  /**  * include globals , config files  */ require_once('env.php');  /*  * closure providing lazy initialization of db connection  */ $db = new database();  /*   * creates basic structures,   * used interaction model layer.  */ $servicefactory = new servicefactory(new mapperfactory($db), new domainfactory); $servicefactory->setdefaultnamespace('\\myapp\\service');  include config_path.'routes.php';  $request = new request(); $router = new router($routes,$request);  /*  * find matched route.  *  * if matched route, add resource name   * , command request object.  */ $router->route();  $session = $servicefactory->create('session');  /*  * whitelist ip address, check if user   * logged in , session hasn't expired.  */ $session->authenticate();  /*  * access control list  */ include config_path.'acl_settings.php';  $aclfactory = new aclfactory($roles,$resources,$rules); $acl = $aclfactory->build();  $user = $session->currentuser(); $role = $user->role(); $resource = $request->getresourcename(); $command = $request->getcommand();  // user trying access unauthorized page if (!$acl->isallowed($role, $resource, $command) {     $request->setresourcename('session');     $request->setcommand('index');     if ($role === 'blocked') {         $request->setresourcename('error');     } }  /*   * initialization of view   */ $class = '\\myapp\\view\\' . $request->getresourcename(); $view = new $class($servicefactory, $acl);  /*  * initialization of controller  */ $class = '\\myapp\\controller\\' . $request->getresourcename(); $controller = new $class($servicefactory, $view, $acl);  /*  * execute necessary command on controller  */ $command = $request->getcommand(); $controller->{$command}($request);  /*  * produces response  */ $view->{$command} $view->render();

i start session , authorize user in session model. session's currentuser have role of 'guest' if not logged in, or 'blocked' if it's ip address not in whitelist. wanted implement controller wrapper suggested teresko's previous acl post, needed redirect user's instead. send them homepage (session#index) if try access page aren't allowed to, or error#index if blocked. session#index let view decide whether or not display homepage logged in user, or login page if aren't logged in (by checking user's role). maybe not best solution, doesn't seem terrible.

single responsibility

your session object doing many things. sessions more or less persistence across requests. session shouldn't doing authentication logic. store identifier logged in user in session, actual validation, logging in/out should done in authentication service.

route management

importing different routes based on users authentication status not scale , pain debug later when have lot more routes. better define routes in 1 place , use authentication service redirect if not authorized. i'm not familiar router looking @ documentation should able 

$router->respond(function ($request, $response, $service, $app) {      $app->register('auth', function() {         return new authservice();     } });

then on routes need logged in can like

$router->respond('get', '/resource', function ($request, $response, $service, $app) {     if( ! $app->auth->authenticate() )         return $response->redirect('/login', 401);     // ... });

Comments

Post a Comment

Popular posts from this blog

c++ - No viable overloaded operator for references a map -

-
i trying use map can make tag names reference number. when try , use it, in code error (6 in total every time reference map): src/main.cpp:25:45: error: no viable overloaded operator[] type 'std::map<std::string, std::string>' const char* idcs = node.child_value(tagmap[3]); this code: #include "pugi/pugixml.hpp" #include <iostream> #include <string> #include <map> int main() { pugi::xml_document doca, docb; std::map<std::string, pugi::xml_node> mapa, mapb; std::map<std::string, std::string> tagmap {{"1", "data"}, {"2", "entry"}, {"3", "id"}, {"4", "content"}}; if (!doca.load_file("a.xml") || !docb.load_file("b.xml")) { std::cout << "can't find input files"; return 1; } (auto& node: doca.child(tagmap[1]).children(tagmap[2])) { co
Read more

java - Custom OutputStreamAppender not run: LOGBACK: No context given for <MYAPPENDER> -

-
i wish write custom appender on basis of outputstreamappender . wrote following class package tests; import java.io.ioexception; import java.io.outputstream; import ch.qos.logback.core.outputstreamappender; public class myappender<e> extends outputstreamappender<e> { public myappender() { system.out.println("myappender created"); setoutputstream(new outputstream() { @override public void write(int b) throws ioexception { throw new unsupportedoperationexception(); } }); } } then wrote following runner: package tests; import org.slf4j.loggerfactory; import ch.qos.logback.classic.logger; public class runner { private static final logger log = (logger) loggerfactory.getlogger(runner.class); public static void main(string[] args) { //log.addappender(new myappender<iloggingevent>()); log.info("hello world"); } } finall
Read more

java - Cannot secure connection using TLS -

-
i'm trying establish secure socket connection between java client applet (built jdk 1.7.0_75-b13) , vc++ server application. as test vehicle, used vc++ client/server sample found in msdn forums, modified use schannel , able establish socket using cipher suite tls_rsa_with_aes_128_cbc_sha. works of tls 1.0/1.1/1.2. when try opening socket java applet same server application, connection rejected server reporting following: tls 1.0 acceptsecuritycontext failed: 0x80090327 tls 1.1 acceptsecuritycontext failed: 0x80090331 tls 1.2 acceptsecuritycontext failed: 0x80090331 this java code used create socket: debugprint("setting secure connection"); sslsocketfactory sslsocketfactory = (sslsocketfactory) sslsocketfactory.getdefault(); sslsocket sslsocket = (sslsocket) sslsocketfactory.createsocket("127.0.0.1", socketnumber); debugprint("starting handshake"); sslsocket.settcpnodelay(true); sslsocket.setsolinger(false, 0); sslsocket.s
Read more