AquaSolid AquaSolid - 4 months ago 15
JSON Question

Angular.js and PHP: Keeping login information when page refresh

A user can use the login.html form which uses a submit button which calls an angular post method and sends the username/email and password to login.php where a MySQL table is stored. The rest of the user's information are gathered from the table and stored in $_SESSION, the session is json-encoded and sent back to angular.js.

Angular AuthController

app.controller("AuthController", function($scope, $http, $rootScope, $window) {

$scope.ctlr = 'Auth';

$scope.ngPOSTLogin = function() {
var data = {
UserName: $scope.UserName,
Password: $scope.Password
}
$http.post('server/auth/login.php', JSON.stringify(data))
.then(function(result) {
$rootScope.user = result.data;
//$window.sessionStorage['$rootScope.user'] = JSON.stringify($rootScope.user);
});
};
});


Now, if a user refreshes the page the $rootScope gets refreshed as well, meaning the login data is lost. using $window.sessionStorage saves the entire JSON object (with the password) which shows that it should probably be encrypted.
The question is simple, how can I retain the user's login information even if they reload the page. I don't want to use someone's github projects (such as ngStorage).
My entire project -
https://github.com/AquaSolid/RAMA_Angular_PHP

Edit



This is an example of what login.php returns

{"ID":"3","UserName":"TommyGun","FirstName":"Tommy","LastName":"Larson","Email":"tommy.larson@gmail.com","Logged":true}


The password is never returned, I made a mistake while writing the question, sorry..

Answer

Why store the password in the browser? The app doesn't need it. The user doesn't need it. The server doesn't need it. It's just a security hole with no upside.

When the user logs in, don't send back all of the info in the DB record. Only send back what the app needs to function. The rest can remain in Session.

As for your question about refreshing. Session or Local storage is the way to go. On the server side, store a last_seen timestamp in $_SESSION. Refresh it every time the user makes a new request. If the user hasn't been seen for a while, it will not be refreshed. So all you have to do is check whether $_SESSION['last_seen'] is within the last 20 minutes or whatever. If it's too far into the past, call session_destroy() and require a new login.

Comments