SEAuth - Session Extension for Authorization - Please take a quick look!

[eluser]Costa Rica SEO[/eluser]
Hey everybody. This my my first bit of code to share, so please go easy on me I was looking for something REALLY simple to do user validation / authorization. I didn't see it. So I made an extension to the Session class.

It works like this:

Code:

$this->session->login($username,$password);
$this->session->logout();
$this->session->auth($privilege_type_needed);

Login checks the user name and password, then loads the privileges in to the cookie.

Logout removes all privileges

Auth checks to see if the user has that privilege.

It has a config file called auth.php that needs the following:

$user_table - The name of the database table to use for user lookup.

$user_name - This is the record where the user name is stored.

$password - This is the record where the user password is stored.

$session_auth - This is the variable saved in the cookie that validates the user is logged in.

$privilege - This is an array of boolean records to indicate if the user has permission to access various types of content.

Here is a SUPER simple login page:

Code:

function login(){
      $data = array();
      $data['user'] = $this->input->post('user');
      $data['password'] = $this->input->post('password');

      if ($data['user']) {
          $secure = $this->session->login($data['user'],$data['password']);
          if ($secure) {redirect('/authclients/admin');}
          else {show_error('Bad User Name or Password');}
        } else {$this->load->view('view_login');}
      }

Here is a SUPER simple logout page:

Code:

function logout(){
        $this->session->logout();
      echo "logged out";
      }

Here is a SUPER simple admin page (with session authorization):

Code:

function admin(){
        $user_is_admin = $this->session->auth('user_admin');
      if ($user_is_admin) {
        $this->load->view('view_admin');
      }
      else {
        show_error('Permission Denied');
      }
      }

I threw together the program quickly over the past two hours or so and tested it. It works great so far. I'm planning on making a page for it and adding it to the Wiki, but I want some input first. The program is less than 100 lines with documentation. Anyone care to give it a look over and make suggestions before I post it? I've attached the code as a ZIP.

I like it because it doesn't add too much extra code. Just make sure the session library is loaded and you're done. I didn't feel it was significant enough to need another library (though it could be made in to one in minutes).

- Paul

[eluser]Costa Rica SEO[/eluser]
Oh, and I nearly forgot the limitations. It just works with the default database for now. I'll consider changing that in the future, but for now it's a limitation that I think most people can live with. Like I said this is designed to be REALLY simple session / user authorization control.

[eluser]Costa Rica SEO[/eluser]
I forgot to mention that the config.php needs an encryption key in the documentation. That's been updated now.

[eluser]outrage[/eluser]
Very nice and simple.

I didn't notice any checking of inputs though unless global filtering is autoloaded??

For example:

$this->input->post('user') may be better as $this->input->post('user', TRUE)

Good effort though

[eluser]Costa Rica SEO[/eluser]
[quote author="outrage" date="1222190170"]Very nice and simple.

I didn't notice any checking of inputs though unless global filtering is autoloaded??

For example:

$this->input->post('user') may be better as $this->input->post('user', TRUE)

Good effort though [/quote]

Very true. The application that I copied the code from is on our internal server, so I didn't bother with validation (as it's not on the web). Like I said the program code is SUPER simple examples. I literally wrote all of this in two hours, so I expect there to be a few glitches.

The My_Session.php shouldn't need validation. That would be part of passing the variables to the login function. So I think the core code (just not the SUPER simple example) is solid.

I love programs like FreakAuth if you're running a big site with lots of users, but for my own internal apps (or maybe a simple CMS or blog area on a client site) this is all of the authentication that I need.

[eluser]Costa Rica SEO[/eluser]
Here is the latest /application/libraries/My_Session.php for those who don't want the ZIP:

Code:

<?php
/*
| -------------------------------------------------------------------
| SEAuth - Session Extension for Authorization
| -------------------------------------------------------------------
| This is intended as a simple way to integrate session authorization
| in to any CodeIgniter application.
| $this->session->login($username,$password);
| $this->session->logout();
| $this->session->auth($privilege_type_needed);
| -------------------------------------------------------------------
| Created by Paul R. Dillinger of CR Solutions Group S.A.
| http://www.crsolutionsgroup.com/
| -------------------------------------------------------------------
*/
class MY_Session extends CI_Session {

    function MY_Session()
    {
        parent::CI_Session();
    }
///////////////////////////////////////////////////////////////////////////////
// Validates username and password info then begins the session              //
///////////////////////////////////////////////////////////////////////////////
    function login($user,$pass)
    {
          if ($this->CI->config->item('sess_encrypt_cookie') == TRUE AND $this->CI->config->item('sess_use_database') == TRUE AND $this->CI->config->item('sess_table_name') != '')
          {
             include(APPPATH.'config/auth'.EXT);
        // Call User Database $user_table
        $this->CI->load->database();
        $this->CI->db->where($user_name, $user);
        $this->CI->db->where($password, $pass);
        $query = $this->CI->db->get($user_table);
        if ($query->num_rows() == 1) {
          foreach ($query->result_array() as $row)
          {
            $userdata = array();
            $userdata[$session_auth] = TRUE;
            foreach ($privilege as $permission)
            {
              echo $permission.": ".$row[$permission]."<br>";
              $userdata[$permission] = $row[$permission];
            }
            $this->set_userdata($userdata);
            return true;
          }
        }
        else
        {
          return false;
        }
           }
      else
      {
        show_error('ENCRYPTION AND DATABASE MUST BE ENABLED - PLEASE READ /APPLICATION/CONFIG/AUTH.PHP');
        return false;
      }
    }
///////////////////////////////////////////////////////////////////////////////
// Removes the session authorization and user name from the client           //
///////////////////////////////////////////////////////////////////////////////
    function logout()
    {
           include(APPPATH.'config/auth'.EXT);
      $this->unset_userdata($session_auth);
      foreach ($privilege as $remove_permission)
      {
        $this->unset_userdata($remove_permission);
      }
    }
///////////////////////////////////////////////////////////////////////////////
// Checks to see if the user is logged in and if they have access to the area//
///////////////////////////////////////////////////////////////////////////////
    function auth($access)
    {
          if ($this->CI->config->item('sess_encrypt_cookie') == TRUE AND $this->CI->config->item('sess_use_database') == TRUE AND $this->CI->config->item('sess_table_name') != '')
          {
             include(APPPATH.'config/auth'.EXT);
        $authorized = $this->userdata($session_auth);
        if ($authorized) {
          if ($this->userdata($access) == TRUE) {
            return TRUE;
          }
          else {
            return FALSE;
          }
        }
           }
      else
      {
        show_error('ENCRYPTION AND DATABASE MUST BE ENABLED - PLEASE READ /APPLICATION/CONFIG/AUTH.PHP');
        return FALSE;
      }
    }
///////////////////////////////////////////////////////////////////////////////
}

[eluser]Costa Rica SEO[/eluser]
Also here is the latest /application/config/auth.php for those who don't want the zip:

Code:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| SEAuth - Session Extension for Authorization
| -------------------------------------------------------------------
| This is intended as a simple way to integrate session authorization
| in to any CodeIgniter application.
| $this->session->login($username,$password);
| $this->session->logout();
| $this->session->auth($privilege_type_needed);
| -------------------------------------------------------------------
| Created by Paul R. Dillinger of CR Solutions Group S.A.
| http://www.crsolutionsgroup.com/
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
|    $user_table The name of the database table to use for user lookup.
|
| $session_auth This is the variable saved in the cookie that
| validates the user is logged in.
|
|    $user_name This is the record where the user name is stored.
|
|    $password This is the record where the user password is stored.
|
|    $privilege This is an array of boolean records to indicate if the
| user has permission to access this content.
*/

$user_table = "auth";
$session_auth = "logged_in";
$user_name = "username";
$password = "password";
$privilege = array('user_admin', 'user_member');
/*
| -------------------------------------------------------------------
| !!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
| -------------------------------------------------------------------
| Changes MUST be made to the application/config/config.php file
| -------------------------------------------------------------------
| THE APPLICATION REQUIRES THE SESSION DATABASE AND ENCRYPTION
| SEE THE USER GUIDE FOR MORE INFORMATION
| http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
| -------------------------------------------------------------------
|
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
| $config['encryption_key'] = "";
|
| This needs a 32 digit mix of random letters and numbers for example:
| 1q2W3e4R5t6Y7u8I9o0PZaXsCdVfBgNh
| Do not use the one above, just make a new on.
|
|--------------------------------------------------------------------------
| Session Variables
|--------------------------------------------------------------------------
|    $config['sess_encrypt_cookie']    = TRUE;
|    $config['sess_use_database']    = TRUE;
|    $config['sess_table_name']        = 'ci_sessions';
|
| -------------------------------------------------------------------
| MySQL Example for ci_sessions table below:
| -------------------------------------------------------------------
|

CREATE TABLE IF NOT EXISTS  `ci_sessions` (
session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(16) DEFAULT '0' NOT NULL,
user_agent varchar(50) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
PRIMARY KEY (session_id)
);

--
-- Sample Table structure for table `auth` database
--

CREATE TABLE IF NOT EXISTS `auth` (
  `id` int(10) NOT NULL auto_increment,
  `username` varchar(100) NOT NULL,
  `password` varchar(100) NOT NULL,
  `user_admin` bool NOT NULL default '0',
  `user_member` bool NOT NULL default '0',
  PRIMARY KEY  (`id`)
);

|
*/

/* End of file auth.php */
/* Location: ./system/application/config/auth.php */

[eluser]Costa Rica SEO[/eluser]
Finally the install instructions:

1. Install auth.php in to the /application/configs directory

2. Install MY_Session.php in to the /application/librariess directory

3. Update the config.php according to the directions in the auth.php

4. Setup the session database