Posted on by Stelian_1

Is there anyway to improve my userControl class and make it more secure?

I'm not a php expert but I wonder if there is a way to secure the tunnel with https and if can somehow use some sort of certificate to the session from the class when it outputs the userdata into session and read it as an input by the class?

<?php
interface userAction {
    public function login();
    public function logout();
    public function isActive();
}
class userControl implements userAction {
    protected $_email;
    protected $_password;
    protected $_db;
    protected $_user;
    private $isLogged = false;
    public function __construct(mysqli $db, $email, $password) 
    {
       $this->_db = $db;
       $this->_email = $email;
       $this->_password = $password;
    }
    public function login()
    {
        $user = $this->_verifyUser();
        if ($user) {
            $this->_user = $user;
            session_regenerate_id(true);
            $_SESSION['uid'] = $user['uid'];
            return $user['uid'];
        }
        return false;
    }
    protected function _verifyUser()
    {
        $userQ = "SELECT * FROM users WHERE email=?";
        $stmt = $this->_db->prepare($userQ);
        $stmt->bind_param("s", $this->_email);
        $stmt->execute();
        $result = $stmt->get_result();
        $nrRows = $result->num_rows;
        if ($nrRows > 0) {
            $user = $result->fetch_assoc();
            $this->_db->next_result();
            $usrPwd = blobToString($user['password']);
            $pwdCheck = password_verify($this->_password, $usrPwd);
            if ($pwdCheck) {
                unset($user['password']);
                $this->_db->close();
                $this->isLogged = true;
                return $user;
            }
        }
        return false;
    }
    public function logout() {
        $currentUser = $_SESSION['uid'];
        if ($this->isLogged && $currentUser) {          
            $usrStatus = 0;
            $usrLevel = -1;
            $isUserQ = "SELECT * FROM users_status WHERE uid = ?";
            $isUser = $this->_db->prepare($isUserQ);
            $isUser->bind_param("s", $currentUser);
            $isUser->execute();
            $userData = $isUser->get_result();
            if ($userData->num_rows > 0) {
                $this->_db->next_result();
                $setUserQ = "UPDATE users_status SET login_status = ?, user_level = ? WHERE uid = ?";
                $setUser = $this->_db->prepare($setUserQ);
                $setUser->bind_param("iis",$usrStatus, $usrLevel, $currentUser);
                $setUser->execute();
                $setUser->close();
                $this->_db->close();
                $this->isLogged = false;
                return true;
            }
        }
        return false;
    }
    public function isActive() {
        if($_SESSION['uid'] == $this->_user['uid']) {
            $this->isLogged = true;
            return $this->_user;
        }
        return false;
    }
}