Generating Tokens
Token generation is handled by the Trongate_tokens module. This page shows you how to access it and create tokens for authenticated users.
No Module Loading Required
In Trongate v2, you don't need to explicitly load modules before using them.
Just call the module directly:
The framework's magic __get() method handles module loading automatically.
Trongate v1 users: The old $this->module('trongate_tokens') pattern is gone. Just use $this->trongate_tokens directly.
Method Name Changes from v1
All methods in the Trongate_tokens module have been renamed in v2. The underscore prefix is gone.
| v1 Method Name | v2 Method Name |
|---|---|
_generate_token() |
generate_token() |
_attempt_get_valid_token() |
attempt_get_valid_token() |
_get_user_id() |
get_user_id() |
get_user_obj() |
get_user_obj() |
_get_user_level() |
get_user_level() |
_destroy() |
destroy() |
_delete_old_tokens() |
delete_old_tokens() |
All methods are still public but are protected from direct URL access via block_url().
This means you can call them from your code, but visiting /trongate_tokens/generate_token in a browser returns 403 Forbidden.
Generating Tokens
Use the method to create authentication tokens.
Method Signature
Required Parameters
The $data array must contain:
- user_id (int) - The
idfrom thetrongate_userstable
Optional Parameters
- expiry_date (int) - Unix timestamp for when the token expires. Default: current time + 86400 seconds (24 hours)
- set_cookie (bool) - If
true, store token in a cookie. Iffalseor omitted, store in session - code (string) - Internal code for special use cases (rarely used)
Return Value
Returns a string containing the generated 32-character token.
Basic Example: Session Token
Generate a token that lasts 24 hours and stores in the session:
This is the most common pattern. The token:
- Expires in 24 hours (default)
- Stores in
$_SESSION['trongatetoken'] - Stores in the
trongate_tokensdatabase table
Custom Expiry: 30-Day Token
For "remember me" functionality, create a longer-lived token:
Still stores in session by default.
Cookie Storage: Persistent Login
Store the token in a cookie so it persists across browser sessions:
The token now stores in $_COOKIE['trongatetoken'] and persists even after the browser closes.
Complete Login Example
Here's a realistic login controller that validates credentials and generates a token:
This example assumes you have a members table with columns: id, username, password, first_name, last_name, and trongate_user_id.
What Happens Behind the Scenes
When you call , the framework:
- Generates a random 32-character string using
- Sets the expiry date (either your custom value or default 86400 seconds)
- Inserts a row into the
trongate_tokenstable with:token- The random stringuser_id- From your$dataarrayexpiry_date- Unix timestamp
- Stores the token on the user's device:
- If
set_cookieistrue→ stores in$_COOKIE['trongatetoken'] - Otherwise → stores in
$_SESSION['trongatetoken']
- If
- Returns the token string
Default Token Lifespan
If you don't specify an expiry_date, tokens default to 86400 seconds (24 hours).
This default is defined in the Trongate_tokens_model class:
You can modify this value if you want different default behavior.
Security Notes
- Never expose tokens in URLs - Always use sessions or cookies
- Use HTTPS - Tokens are random strings but not encrypted
- Set appropriate expiry dates - Shorter for sensitive operations, longer for convenience
- Hash passwords - Always use
password_hash()before storing passwords in your database
Common Patterns
Standard Login (Session, 24 Hours)
Remember Me (Cookie, 30 Days)
Short-Lived Token (1 Hour)
What's Next
Now that you know how to generate tokens, the next page covers:
- Validating tokens with
- Fetching user data from tokens
- Checking user levels