Validating and Fetching User Data
Once a token is generated, you need to validate it on protected pages and fetch information about the authenticated user. This page covers token validation and data retrieval.
Validating Tokens
Use the method to check if a user has a valid token.
Method Signature
Parameters
- $user_levels (optional) - Filter by user level:
null- Accept any user level (default)int- Accept only one specific user levelarray- Accept multiple user levels
Return Value
Returns the token string if valid, or false if no valid token is found.
How It Works
The method searches for tokens in this order:
- Cookies -
$_COOKIE['trongatetoken'] - Session -
$_SESSION['trongatetoken']
The first valid token found is returned. A token is considered valid if:
- It exists in the
trongate_tokensdatabase table - Its
expiry_dateis greater than the current time - The user's level matches the specified
$user_levels(if provided)
Example 1: Any User Level
Accept any authenticated user, regardless of their level:
This example assumes you have a members_area template created.
Example 2: Specific User Level
Only allow users with a specific user level (e.g., admin only):
This example assumes you have an admin template created.
Example 3: Multiple User Levels
Allow multiple user levels (e.g., admin or moderator):
Fetching User Data
Once you've validated a token, you often need information about the user. The Trongate_tokens module provides three methods for this.
Method 1: get_user_id()
Retrieve the Trongate User ID (the id from the trongate_users table):
Example:
If no token parameter is provided, the method automatically searches cookies and session for a token.
Method 2: get_user_obj()
Retrieve a complete user object with all token and user level information:
The returned object contains:
- trongate_user_code - The
codefromtrongate_users - user_level_id - The numeric user level ID
- user_level - The user level title (e.g., "admin", "member")
- token - The validated token string
- trongate_user_id - The user's ID from
trongate_users - expiry_date - Unix timestamp of token expiration
Example:
Method 3: get_user_level()
Retrieve just the user level title:
Example:
Practical Example: Displaying User Info
Here's a complete example showing how to fetch and display user information:
This example assumes you have a members table with columns: id, username, first_name, last_name, and trongate_user_id.
Using Constructor for Protection
If you want to protect an entire controller, add validation in the constructor:
Now every method in the controller requires a valid member token.
When to Use Each Method
| Method | Use Case |
|---|---|
attempt_get_valid_token() |
Quick validation - just checking if user is authenticated |
get_user_id() |
Need to link to application tables (e.g., fetch from members table) |
get_user_obj() |
Need multiple pieces of user info (level, code, expiry, etc.) |
get_user_level() |
Need to check or display user's role/level only |
Common Patterns
Pattern 1: Simple Protection
Pattern 2: Admin-Only Page
Pattern 3: Fetch and Display User Info
Security Notes
- Always validate on protected pages - Never assume a user is authenticated
- Use specific user levels when needed - Don't allow admin pages to accept any user level
- Redirect on failure - Always redirect to login when validation fails
- Check token expiry - The framework handles this automatically, but be aware tokens can expire mid-session
What's Next
The final page in this chapter covers:
- Destroying tokens on logout
- Cleaning up expired tokens
- Complete logout workflow
We're continually improving the Trongate documentation. If anything is incorrect, unclear, incomplete, or could be better, we'd genuinely appreciate your input.
Share your thoughts in the Documentation Feedback.