I'm using Fuel Orm Auth with two group of user: Admin and normal Member, member can login to something like http://fuelphp.com/forums and Admin can login to http://fuelphp.com/admin. These two kind of users using the same Users table of OrmAuth. Is there any way to create separate session for Admin and Member on the same browser at the same time? for example when logged in http://fuelphp.com/admin with admin account, it's also be able to log in http://fuelphp.com/forums with Member account at the same time.. Sorry for my stupid question. Any help would be greatly appreciated
The short answer is no. The Auth classes uses the default session instance.
The long answer:
You could extend Auth_Login_Ormauth in your app, and then overload the methods that use the session class statically and come up with a solution that uses a session instance instead. Then you need to find a way to pass the name of the session instance to use via Auth::forge() and have it instantiate a session object with it, so the Ormauth driver can use that instead of the static calls.
You also need to make sure that both sessions don't collide, so perhaps they may have to use a different storage system.
So, quite complex, mainly because browser sessions are not designed this way.
Instead, why don't you use permissions, for which Ormauth is designed?
Dear Harro, Thanks so much for both long and short answer. I can imagine the complexity if going with the long answer ;) so I will think about using the permissions (firstly I need to read the docs again... :) )
Create base controllers for public (no authorisation), member (user = member) or admin (user = admin).
In the controller's before() method, check if a user is logged in (for the member and admin base controller), and if they are member of the correct group). If not, throw an HttpNoAccessException. Make sure these base controllers extend the correct controller (standard or template).
Then all your controllers extend one of these three, and your (coarse) authorisation is implemented.
If you want more fine-grained permissions or use roles, you can do that to, but that may be the next step.
Exactly what I am doing :) Just because my customer want to use both admin account and a testing member account in the same time, to confirm what is going on when logging in with member account, and they don't want to log out the Admin nor use another device/browser to do that. And as a junior developer, I wonder how to do that in the simplest way so I came here to find any suggestion :)
The problem is that that goes against the design of a browser. It is techically impossible to tie a session to a browser window, everything that is client-side storage (cookies, local storage containers) is global in a browser.
If the client wants to test, simply use two browsers. A lot cheaper than building and maintaining a complex application.
Dear Harro, Thanks for making my determination to persuade the customer about the problem. Always appreciate your kindness for gently explaining not only Fuel but also basic things.