Skip to main content

Overview

The AuthController handles user authentication, login/logout operations, and session management for the School Management Platform. File Location: app/controllers/AuthController.php

Methods

login()

Displays the login page or redirects authenticated users to their dashboard. Behavior:
  • Checks if user is already logged in via session
  • If authenticated, redirects to role-based dashboard
  • If not authenticated, renders the login view
Code Example: 
public function login()
{
    // If already logged in, redirect immediately
    if (isset($_SESSION['user'])) {
        $role = $_SESSION['user']['role'];
        header("Location: /school_management/public/index.php/dashboard/$role");
        exit;
    }

    require_once __DIR__ . '/../views/auth/login.php';
}

authenticate()

Processes login credentials and creates user session.
email
string
required
User’s email address (from POST request)
password
string
required
User’s password (from POST request)
Behavior:
  1. Validates email and password against database
  2. Verifies password using password_verify()
  3. Regenerates session ID to prevent session fixation attacks
  4. Stores user data in session (id, name, email, role)
  5. Records last activity timestamp
  6. Redirects to role-based dashboard
Security Features:
  • Password hashing verification
  • Session regeneration after login
  • Session fixation prevention
Code Example: 
public function authenticate()
{
    require_once __DIR__ . '/../models/User.php';

    $email = $_POST['email'] ?? '';
    $password = $_POST['password'] ?? '';

    $userModel = new User();
    $user = $userModel->findByEmail($email);

    if (!$user || !password_verify($password, $user['password'])) {
        echo "Invalid email or password";
        return;
    }

    // Regenerate session ID after successful login (prevents session fixation)
    session_regenerate_id(true);

    // STORE SESSION
    $_SESSION['user'] = [
        'id' => $user['id'],
        'name' => $user['name'],
        'email' => $user['email'],
        'role' => strtolower($user['role']),
    ];

    // Save last activity time
    $_SESSION['LAST_ACTIVITY'] = time();

    // REDIRECT
    header("Location: /school_management/public/index.php/dashboard/{$_SESSION['user']['role']}");
    exit;
}
Response:
  • Success: Redirects to /dashboard/{role}
  • Failure: Displays “Invalid email or password” message

logout()

Terminates user session and redirects to login page. Behavior:
  1. Clears all session variables
  2. Destroys the session
  3. Redirects to login page
Code Example: 
public function logout()
{
    session_unset();
    session_destroy();

    header("Location: /school_management/public/index.php/login");
    exit;
}

Session Structure

After successful authentication, the session contains: 
$_SESSION['user'] = [
    'id' => 123,                    // User ID
    'name' => 'John Doe',           // Full name
    'email' => 'john@example.com',  // Email address
    'role' => 'student'             // Role (admin/teacher/student)
];
$_SESSION['LAST_ACTIVITY'] = 1234567890; // Unix timestamp

Build docs developers (and LLMs) love

Get started for freeTalk to us