Authentication in Pox implements the usual authentications for session-based logins. When the user attempts to log in, the Auth class checks the username/password combination against the database.

The only interesting feature here the implementation of long-lived sessions. The user has the option of staying logged in for long periods of time when logging in, usually in the form of a checkbox labeled “Keep me logged in” or “Remember me”.

When the user logs in, a persistent cookie is set containing a session token. The token is a hash of a random ID and the user's IP address. Storing the IP address prevents a man-in-the-middle from using the same cookie. The session token is stored in the database.

When the user's session cookie expires (default: when browser is closed) or is garbage-collected (default: 24 mins.), and the user returns, no session cookie will be found. Then, the session token is read, and verified against the database. If found, the user is logged in automatically.

When the user logs out, the session token cookie and database data are deleted.

The Auth class assumes the following database tables.

CREATE TABLE IF NOT EXISTS `users` (
  `user_id` int(11) UNSIGNED NOT NULL AUTO_INCREMENT,
  `email` varchar(100) NOT NULL,
  `salt` char(8) DEFAULT NULL,
  `password` varchar(50) DEFAULT NULL,
  `created_dt_tm` datetime NOT NULL,
  `last_updated_dt_tm` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  PRIMARY KEY  (`user_id`),
  UNIQUE KEY `email` (`email`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8;
 
CREATE TABLE IF NOT EXISTS `sessions` (
  `user_id` int(11) UNSIGNED NOT NULL,
  `session_token` varchar(45) NOT NULL,
  `last_updated_dt_tm` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  PRIMARY KEY  (`user_id`),
  KEY `session_token` (`session_token`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

TBD