After some hours I have to post this question even if the answer maybe obvious to someone else.
The problem is that I want to test for the tokens, but even when I hardcode this, I still get INVALID. And I know it has to be right, because I tested it in PHPADMIN directly. What's odd is that it always passes the first time (without being hardcoded), but after that it is useless? The tokens are retrieved from a cookie.
public function findTriplet($credential, $token, $persistentToken) {
$token = "459078a3b05ce938ed58f9678ac78f1agcgfsewe4";
$persistentToken = "24d317b742da89ddf5b8ed50993d0f3cgcgfsewe4";
$credential ="34";
$q = "SELECT IF(SHA1(?) = {$this->tokenColumn}, 1, -1) AS token_match " .
"FROM {$this->tableName} WHERE {$this->credentialColumn} = ? " .
"AND {$this->persistentTokenColumn} = SHA1(?) LIMIT 1 ";
$query = $this->db->prepare($q);
$query->execute(array($token, $credential, $persistentToken));
$result = $query->fetchColumn();
if (!$result) {
return self::TRIPLET_NOT_FOUND;
} else if ($result == 1) {
return self::TRIPLET_FOUND;
} else {
return self::TRIPLET_INVALID; }
}
EDIT
The limit clause always catches the first row it finds, therefore I always get a mismatch Now I have to fix this.
The solution was simple. Delete the entry that was just validated before inserting a new row with the newly generated token. The new row should contain the SAME persistenceToken you just validated against. REMEMBER, this will still be UNSECURE, so set a FLAG on the serverside that this was a cookielogin, and require a REAL LOGIN for handling important data.
