Well, I'm doing WebApp where I have a login page before accessing the app and inside the app I have some areas with restrictions.
WebApp is running all right, but I ended up getting stuck in the process of logging in and authenticating.
WebApp is based only on AngularJs and PHP with database on MYSQL .
What I have:
So far I'm using a simple login with authentication through PHP. I can log in and view WebApp only if it is logged in. Okay. But I can not go any further than that. A brief example of the code I'm using:
index.php
<?php session_start();
include ('dist/php/config.php');
if(isset($_GET['out'])){
session_destroy();
back("#");
}
if((!empty($_POST['user'])) && (!empty($_POST['password']))){
$p = ['user'=>$_POST['user'], 'password'=>$_POST['password']];
$r = sql("select * from users where user= :user and password = :password",$p);
if($r != 0){
foreach($r as $ln){
$_SESSION['loggedin']=$ln['name_user'];
}
} else {
$msg = "<div class='login_fb'><p>User or password incorrect</p></div>";
}
}
if(!empty($_SESSION['loggedin'])){
include "system.php";
} else { ?>
<head>
<meta charset="UTF-8" />
[... resto do head ...]
</head>
<body>
[... resto do body com form de login ...]
</body>
<?php } ?>
The route system I use in the app is ui-router .
The problem I have faced for now is in doing user authentication and keeping this data for future use. Data such as the user name, id, and permission category that is entered. Even keep this data even after a refresh of the page.
My goal
What I intend is the following:
- Log in to
WebApp; - Keep the user's data (as previously mentioned) for future use in the other pages and in the various actions that the user can do;
- It is possible to refresh the page or close the tab and return later without losing the login (nor the user data);
- Control user access. Ex: release page X only if the user is of the category "Super Admin";
- Impossible to access without going through the form. Example: You can not access the page by typing directly into the URL - Return with "You do not have permission" or "You must be logged in.";
I even found some examples and tutorials on the internet, but they are either too complex, or lack clear documentation to follow, or in some cases, have some pretty harmful flaws. The best content I got was this one , but the explanation already starts at a more advanced point . I needed more guidance in the initial steps.
For example, how to validate the login based on the data of the form and then keep this in cache / cookis (would this?) and then proceed with some areas described in the above link guide.
I also found a reference recommending the use of $cookie ($ cookieStore was deprecated, second docs ) this way:
app.run(['loginService', function(loginService){
var username = $cookieStore.get('username');
var password = $cookieStore.get('password');
loginService.login(username, password);
}]);
But is it correct / advisable to use this way? Because we are manipulating the password variable within the angular, can not this bring security to the user's login? As far as I know, it's not ideal.
What I need to know:
- Is this login template (using that php code) I am using as recommended? Is there any better or more suitable for my purpose?
- How can I prevent the user from accessing any page of
WebAppwithout having to go through the login process? (I believe it will be automatically answered if I can handle the login with the data cache for use in future sessions.) - How can I store this client data (as well as login) so that when it returns to the page, stay logged in?
- This data needs to be kept in all page change / exit scenarios, as long as there is no exit through Logout.
Finally, that's it. I believe with the information to make the initial handle I get a north to give procedure to WebApp.