Managing User Accounts with the Zend Framework

by Jason Gilmore

The Zend_Auth component, part of the Zend Framework, provides a mechanism for authenticating users in your web apps. Jason Gilmore will show you how use this robust component to give users the ability to create their own accounts.

Managing User Accounts with the Zend Framework - Introduction

Today's consumer sure has become the discerning sort, hasn't he? No longer content with a standard product made for the masses, today's buyer seeks out wares capable of being modified to fit specific tastes and desires. iPod engraving, customized Scions, and even monogrammed postage stamps are just a few examples of the lengths companies (and consumers) are going to, to make the marketplace their very own.

With the Web a crucial part of our everyday lives, not to mention a major part of the societal marketplace, it doesn't come as a surprise that consumers have come to expect as much from the virtual world as they do of the physical. Custom sports scores, localized news, and tailor-made product catalogs are all typical features on today's web sites. Of course, barring the employment of The Amazing Kreskin, Web site developers require a way to match a user to his online preferences. The standard way to do so is by providing the user with a means for creating and logging into an account. This account serves as the glue which ties the user to his actions performed while navigating the Web site, such as purchasing an e-book, identifying his hometown as Columbus, Ohio, or specifying that he'd like to see only sports-related news hailing from Pittsburgh.

Creating a user account feature is a bit more involved than simply creating a database table for hosting account information, and plugging it into the requisite registration and login forms. You'll also need to think about safeguarding against bogus accounts by requiring the user to confirm his e-mail address before the account is activated, maintaining the user's session while he's navigating the Web site, providing a simple mechanism for logging out of an account, and allowing users to easily recover forgotten passwords. Recognizing the commonplace need for such features, the Zend Framework is bundled with a great component named Zend_Auth which significantly reduces the time required to create and manage user accounts. In this tutorial I'll show you how to create the building blocks for managing user accounts, showing you how to register users, and allow them to both login and logout of your Web site.

Creating the User Registration Feature

In order to create a user registration feature, we'll need a place to store the account information. The most logical place to do so is within a database table specially designated for this purpose. A sample MySQL table schema for such a purpose might look like this:

CREATE TABLE account {
 first_name VARCHAR(100) NOT NULL,
 last_name VARCHAR(100) NOT NULL,
 email VARCHAR(100) NOT NULL,
 pswd CHAR(32) NOT NULL,
 recovery_key CHAR(32) DEFAULT ""

Nothing in this table should be too surprising, except for perhaps the pswd and recovery_key columns. The pswd column is defined as a CHAR(32) because the user's password will always be stored in hashed format using PHP's md5() function, making it highly unlikely the plaintext password will be recovered should an attacker somehow gain access to the database. The md5() function will convert any string to a 32-character hash, giving reason to the type definition. The recovery_key column will be used later in this tutorial to hold a random 32-character string which will be used to confirm the user's identity in case he initiates the password recovery sequence. I'll talk more about this particular column in a bit.

Of course, you'll probably need to extend the account table to include other pertinent information, such as the user's address, phone number, or birthdate. For the purposes of this tutorial I'm focusing on just the bare minimum requirements, so don't be afraid to add to this table as you see fit.

The Account Model

Next you'll need to create the account model pursuant to the typical convention defined by the Zend Framework. I'm going to keep the initial model capabilities to a minimum, although we'll add to it as necessary.

class Default_Model_Customer extends Zend_Db_Table_Abstract
  protected $_name = 'customer';

The Account Registration Form

Next up is the registration form. I'm going to keep this to the minimum required fields, creating the form you see in Figure 1. As there's nothing special about this form, following the screenshot I'll skip the code and move on to the controller action used to process this form information.

Zend Framework Registration Form
Figure 1. A simple user registration form

Processing the User Registration

With the account table, model, and registration form in place, it's time to write the code which will validate the user's registration information and create the account. For the purposes of this exercise presume the the form action points to an action named register created within a controller named account:

  01 public function registerAction()
  02 {   
  03   // Create array for errors
  04   $this->view->errors = array();
  06   if ($this->getRequest()->isPost()) {
  08     $customer = new Default_Model_Customer();
  10     $result = $customer->save($this->_request->getPost());
  12     if (! is_array($result)) {
  14       $this->view->created = 1;                     
  16     } else {
  18       $this->view->errors = $result;
  20       $this->view->firstName     = $this->_request->getPost('first-name');
  21       $this->view->lastName      = $this->_request->getPost('last-name');
  22       $this->view->email         = $this->_request->getPost('email');
  23       $this->view->pswd          = $this->_request->getPost('pswd'); 
  24       $this->view->userName      = $this->_request->getPost('username'); 
  26     }     
  28   }
  30 }

Let's review some of the stickier parts of this action:

  • Line 04 initializes an array which will contain any errors triggered throughout the data validation process.
  • If the registration form has been submitted, line 06 will detect the POSTed data, setting the validation and account creation process into motion.
  • Line 10 attempts to create the user account by calling a method named save(), which resides in the Account model. This method contains all of the validation and insertion logic, allowing us to maintain a thin controller containing remarkably little code. I'll show you what the save() method looks like in a moment. For the moment just keep in mind that if an array is returned from the method call, one or more errors occurred, so we'll assign them to a view variable (line 18) and populate some variables for redisplay in the form. Otherwise we'll create a view variable named $this->view->created which will serve as an indicator to inform the user of a successfully created account.

The account model's save() method looks like this:

  01 public function save(array $data)
  02 {
  04  // Initialize the errors array
  05  $errors = array();
  07  // First Name
  08  if (! Zend_Validate::is($data['first-name'], 'NotEmpty')) {
  09      $errors[] = "Please provide your first name.";
  10  }
  12  // Last Name
  13  if (! Zend_Validate::is($data['last-name'], 'NotEmpty')) {
  14      $errors[] = "Please provide your last name.";
  15  }     
  17  // Does Email already exist?
  18  if (Zend_Validate::is($data['email'], 'EmailAddress')) {
  20    $result = $this->findByEmail($data['email']);
  22    if ($result != false) {
  23      $errors[] = "An account using this e-mail address already exists.";
  24    }
  26  } else {
  27    $errors[] = "Please provide a valid e-mail address.";
  28  }
  30  // Password must be at least 6 characters
  31  $valid_pswd = new Zend_Validate_StringLength(6,20);
  32  if (! $valid_pswd->isValid($data['pswd'])) {
  33      $errors[] = "Your password must be 6-20 characters.";
  34  }
  36  // If no errors, insert the 
  37  if (count($errors) == 0) {
  39    $data = array (
  40      'first_name'         => $data['first-name'],
  41      'last_name'          => $data['last-name'],
  42      'email'              => $data['email'],
  43      'pswd'               => md5($data['pswd']),         
  44      'recovery_key'       => ''      
  45    );
  47    return $this->insert($data);
  49  } else {
  50    return $errors;
  51  }
  53 }

All of this should look pretty straightforward, so I won't dive into a line-by-line breakdown, other than to say that the findByEmail() is a simple method found in the model which verifies that an account using the provided e-mail address doesn't already exist.

Keep in mind that this is only one of several possible ways to create the registration logic. As a rule though I suggest following the "fat model, thin controller" approach as demonstrated here. Zend Framework project lead Matthew Weier O'Phinney published a great blog post about this very matter here.

Creating the User Login Feature

With the prerequisite steps out of the way, we're ready to bring the Zend_Auth component into the picture. Zend_Auth serves several purposes, including providing a simple-to-use mechanism for verifying a user's provided login credentials (typically an e-mail address and password), and then initiating a session which will allow you to determine whether the user is currently logged into the Web site. Presuming a typical login form prompting the user to provide his e-mail address and password, the following login action will use the Zend_Auth component to process the login:

  01 public function loginAction()
  02 {
  04  if ($this->getRequest()->isPost()) {
  06    $email = $this->_request->getPost('email');
  07    $password = $this->_request->getPost('password');
  09    if (empty($email) || empty($password)) {
  10      $this->view->errors[] = "Please provide your e-mail address and password.";
  11    } else {      
  13      $db = Zend_Db_Table::getDefaultAdapter();
  14      $authAdapter = new Zend_Auth_Adapter_DbTable($db);
  16      $authAdapter->setTableName('account');
  17      $authAdapter->setIdentityColumn('email');
  18      $authAdapter->setCredentialColumn('pswd');
  19      $authAdapter->setCredentialTreatment('MD5(?)');
  21      $authAdapter->setIdentity($email);
  22      $authAdapter->setCredential($password);
  24      $auth = Zend_Auth::getInstance();
  25      $result = $auth->authenticate($authAdapter);
  27      // Did the participant successfully login?
  28      if ($result->isValid()) {      
  30        $this->_redirect('/'); 
  32      } else {
  33        $this->view->errors[] = "Login failed. Have you confirmed your account?";
  34      }
  36   }
  38  }  
  39 } 

Let's review this code:

  • Line 16 identifies the table named used to store the account information. In our case, that table name is account.
  • Line 17 defines the table column which contains the user's "login". We're using an e-mail address, so I've identified that column as email.
  • Line 18 defines the table column which contains the user's password.
  • Line 19 determines how the password will be identified within the table. Because we've used the md5() function to hash the password, the credential treatment is set as you see it here.
  • Lines 21 and 22 assign the provided e-mail address and password to the adapter's identity and credential properties.
  • Line 24 determines whether the user is already logged in, and if not attempts to authenticate him using the authenticate() method.
  • Finally, the isValid() method is used to determine whether the provided credentials were valid. If so, we'll redirect the user to the home page. Otherwise, errors will be output to the login page.

Determining if a User is Logged In

Determining if a user is logged in is easily done using Zend_Auth's getIdentity() method:

$user = Zend_Auth::getInstance()->getIdentity();

You can place this call in a controller's init() method or elsewhere to determine if the user is logged in. If $user is set, you'll be able to retrieve for instance his e-mail address or primary key by referencing the $user object's e-mail or id properties, respectively.

Creating the Logout Mechanism

Finally, to log the user out of the site, just create an action named for instance logout, and point a hyperlink to it:

public function logoutAction()


Managing user accounts is made incredibly easy using the powerful Zend_Auth component. Hopefully this tutorial provided you with the foundation for giving users access to the custom content they desire!


About the Author

Jason Gilmore is founder of EasyPHPWebsites.com, and author of the popular book, "Easy PHP Websites with the Zend Framework". Formerly Apress' open source editor, Jason fostered the development of more than 60 books, along the way helping to transform their open source line into one of the industry’s most respected publishing programs. Over the years he's authored several other books, including the best-selling Beginning PHP and MySQL: From Novice to Professional (currently in its third edition), Beginning PHP and PostgreSQL: From Novice to Professional, and Beginning PHP and Oracle: From Novice to Professional.

Jason is a cofounder and speaker chair of CodeMash, a nonprofit organization tasked with hosting an annual namesake developer’s conference, and was a member of the 2008 MySQL Conference speaker selection board.

Jason has published more than 100 tutorials and articles within prominent publications such as Developer.com, Linux Magazine, and TechTarget.

This article was originally published on Monday Nov 16th 2009
Mobile Site | Full Site