View Full Version : Very simple user authentication and session management with MySQL & PHP

23 Feb 2010, 7:59 AM

I keep coming back to ExtJS because it just look so good! My problem is I'm trying to reproduce the functionality of a simple website which consists of a basic user-login and then dynamic content delivered based on SESSION variables in PHP and I just can't seem to do this in ExtJS.

I have implemented the login as described here (http://www.extjs.com/learn/Tutorial:Basic_Login) and that works fine, I can then set the session vars in my PHP authentication script, but I still don't know how to query the session vars in ExtJS.

Does anyone have a really noddy example they can point me at?



23 Feb 2010, 9:06 AM
ExtJS is client-side, so the only thing you could do is put the SESSION information from your PHP page into a cookie and read it that way.

More information (like code examples) of what you are trying to achieve would help someone describe a solution or enumerate an example.

Mike Robinson
23 Feb 2010, 2:06 PM
Session variables only exist on the server. The only thing that the client has is a session-id token or "cookie," whose contents mean nothing to him.

You could write a couple of AJAX methods which would allow the client to query or to set session variables. (You should use great care, however, to avoid opening yourself up to "injection attacks." You must never trust the client side. You really never know who you're actually talking to. Do not make it possible for the client to "arbitrarily" set or to query session variables using your API.

24 Feb 2010, 12:45 AM
Hi guys,

Thanks for your replies. I think this is my fundamental misunderstanding in the whole of this. What I'm trying to do isn't particularly difficult or unauthodox. I just want the ability for people to login to my site, the authentication is conducted by php from a MySQL table query.

Once logged in, I want to be able to dybnamically alter any content displayed according to the user that's logged in and this is where I am struggling to get my head around the client vs server asyncronous side of things.

If we assume a user is successfully logged in and a server side session variable set, do I then bind the datasource of a grid, for example to the output of a PHP script which first checks the session variable before returning the relevant data? I think this is where I'm getting confused.

What if I want to have actually different extjs components available depending on whether the user is logged in or not, how can this be done without a complete reload of the page after logging in?


24 Feb 2010, 2:22 AM
What I'm trying to do isn't particularly difficult or unauthodox. I just want the ability for people to login to my site, the authentication is conducted by php from a MySQL table query.

No, it's not difficult at all. If the login is successful, return the user specific info, options, etc with the reply from the server. Since different components are loaded depending upon the info sent from the server, don't load anything until you get the information from the server (use a callback function).

24 Feb 2010, 12:32 PM
I have a similar need and I am searching for a "best practice" approach to session management. I am using ExtJS 3.1 and ColdFusion. Are there any pointers as to how to approach the synchronization of client/server session management?
Thanks in advance.

24 Feb 2010, 12:55 PM
I don't want to discourage conversation on the subject, but I'd go back to Mike Robinson's post and read it again. The thing you are asking seems a little off. I don't think the idea of synchronizing the session between the server and the client would be considered best practice.

If you were doing a straight HTML/ColdFusion app, would you output all of the session variables into an html comment on every page? I don't think you would. You send information to the page when it's needed. Same thing here: if your app needs a piece of information from the session then use an AJAX request to get it or send it along with other info you are already retrieving. It doesn't require a page reload: it's AJAX.

To clarify something that Mike said and we should all know: with any framework I know of, your session information is not actually stored in the session cookie. The session information is stored on the server and the browser gets a cookie so that the server can match the browser making the request with the session info on the server. There's no way Ext can look into that cookie and get session information you've stored because it's not there. It's on the server, so that's where you have to get it.

In terms of best practice, assume your client is hopelessly exploited. Assume every request to your server app is a hack attempt and write your backend accordingly. Let's say you want to deactivate certain controls based on a user level. You can send that flag to the client, but you can't count on it. It's cosmetic: Your Ext code is still there and I could easily just change the user level in Firebug. If you aren't checking something like this at the server then it's like not checking it all.

Mike Robinson
24 Feb 2010, 1:34 PM
Here is my usual "AJAX analogy."

You talk to your Rich Uncle by means of sending postcards. When you want Uncle to do something, or to tell you something or what-have-you, you write the message on a postcard and drop it in the mail. The postcard has two phone-numbers on it: "if it works, call ... and if it doesn't work, instead call ..." Eventually, perhaps days or weeks later, one of the two phones will ring... To continue this rather perverse point... "only your Uncle" knows what a session-variable's value currently is. (The only part that you play in the process is that you are obliged to include a weird, random-looking string of characters ... neatly contained in a yummy box of cookies! ... with every postcard that you send.) If you can talk your Uncle into it, you can arrange for him to respond favorably a request, "Please send me the current value of variable X," and perhaps to a similar request to alter it, but in any case you have no direct access to anything: you only have those postcards.

Now, for the "food for thought" question. Uncle is well-secured and trustworthy, but you are in the wild-and-wooly Internet and responding to requests from who-knows-what. Postcards, furthermore, can be faked. So, think carefully ... exactly what do you want your Uncle to agree to do, when given the proper postcard? What are the potential risks?

Usually, the safest bet is, "Uncle knows best." Or maybe, "playing poker." No one can look over his shoulder. Ask him only questions ... that is, have him answer only questions ... that he can verify. Program the "Uncle" to be skeptical, dis-trusting. Have him hold his cards close to his chest; his expression, inscrutable.

You're somewhat safer (so to speak) in an Intra-net, but always bear in mind that the client-side can be Assimilated into the Borg Collective. Zapped with a phaser and replaced with a "bot" that responds perfectly to anything that "Uncle" may ask ... but now, hostile. After all, every scrap of your client-side source code is either known or easily knowable. "Uncle" will be attacked in this way.