+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Standardised user login (/showthread.php?tid=4452)
Pages:
1
2
Standardised user login - El Forum - 11-26-2007
[eluser]morph london[/eluser]
Hi I am very new to CodeIgniter and I am very impressed with what I have seen so far. Now my first CodeIgniter project involves a simple cms. I have been searching for a standardized way of
a) Creating a login page (email, password) from a database.
b) A piece of code I can add to each page that is "protected" that will redirect to the login page.
I was quite surprised in the documentation that there seems to be no way built into CodeIgniter to do this out of the box. Is there a standard was of achieving this? or is there a method anyone could recommend as being secure?
Also in my attempts to create such a page I have come across an issue with the Validation library. When I validate the password field and md5 it in the process, if the user has not entered a valid email it bounces back to the login page but the password field contains the md5 hash. I would like it to contain the original string.
Thanks for your help.
Standardised user login - El Forum - 11-26-2007
[eluser]stevepaperjam[/eluser]
I've had success with DanFreak's FreakAuth, which is built for CI.
Standardised user login - El Forum - 11-26-2007
[eluser]morph london[/eluser]
Thanks for the link I will check it out. The site has to be secure so do you know if this is secure code. What I am ideally looking for is adding CI to my 'Toolkit' as it were and I don't want to find out down the line I am using code that I will have to go and amend.
Standardised user login - El Forum - 11-26-2007
[eluser]stevepaperjam[/eluser]
Quote:do you know if this is secure code
So far I've only used it as part of a blog-type thing for the admin section, but I'm planning on using it as part of a shopping cart site.
I've not done any security testing myself, but you might be able to glean some further info from this thread.
Standardised user login - El Forum - 11-26-2007
[eluser]stevepaperjam[/eluser]
...and there's also Erkana , not tried it myself: looks good tho...
Standardised user login - El Forum - 11-26-2007
[eluser]Phil Sturgeon[/eluser]
CI can do this out of the box.
Model
Code:
function checkLogin($username, $password){
$this->db->where('username', $username);
$this->db->where('password', $password);
$query = $this->db->get('users');
$user = $query->row();
$this->session->set_userdata('userid', $user->userid);
return ($query->num_rows() > 0);
}Controller Check
Code:
if(!$this->session->userdata('userid')) redirect('user/login');User Auth is an INCREDIBLY simple thing, its just bloated by extra things such as forgot password, activation, user management, banning, etc. A full user auth system in CI can be done with 2 methods, 1 model and the simple piece of code above.
I would avoid FAL like the plague for a small project, but it can come in handy if you strip it RIGHT down to the bones.
Standardised user login - El Forum - 11-26-2007
[eluser]morph london[/eluser]
Ok cool thats exactly what I wanted. Now back to the other issue I am having. So looking at the validation Library it demonstrates the validation for a password field using md5. So I assume it is better to store a password as md5 for security, then compare it from there.
Now in the below code taken from the docss:
function index()
{
$this->load->helper(array('form', 'url'));
$this->load->library('validation');
$rules['username'] = "required";
$rules['password'] = "required";
$rules['passconf'] = "required";
$rules['email'] = "required";
$this->validation->set_rules($rules);
$fields['username'] = 'Username';
$fields['password'] = 'Password';
$fields['passconf'] = 'Password Confirmation';
$fields['email'] = 'Email Address';
$this->validation->set_fields($fields);
if ($this->validation->run() == FALSE)
{
$this->load->view('myform');
}
else
{
$this->load->view('formsuccess');
}
}
If the user leaves out their email address this then fills the password field with a md5 instead of their original string.
Standardised user login - El Forum - 11-26-2007
[eluser]Phil Sturgeon[/eluser]
You are close.
Code:
function index()
{
$this->load->helper(array(’form’, ‘url’));
$this->load->library(’validation’);
$rules['username'] = 'required';
$rules['password'] = 'required';
$rules['passconf'] = 'required|matches[password]';
$rules['email'] = 'required|valid_email';
$this->validation->set_rules($rules);
$fields['username'] = 'Username';
$fields['password'] = 'Password';
$fields['passconf'] = 'Password Confirmation';
$fields['email'] = 'Email Address';
$this->validation->set_fields($fields);
// Populate a data variable
foreach(array_keys($fields) as $field):
$data[$field] = $this->input->post($field);
endforeach;
if ($this->validation->run() == FALSE)
{
$this->load->view('myform', $data);
}
else
{
// Encrypt their password before submitting (do this in the model if you preffer
$data['password'] = md5($data['password']);
$this->user_model->addUser($data);
$this->load->view('formsuccess', $data);
}
}Notice the improved validation rules to make sure passwords match and the email is forced to be a valid email.
Also notice the loop that will grab data from post and put it into a $data variable so you can pass it to your model. We then replace the users submitted password with a md5 hash.
Registration complete!
Standardised user login - El Forum - 11-26-2007
[eluser]Rick Jolly[/eluser]
pyromaniac - You've just created another auth library! Maybe call it pyroauth and create a support thread.
Standardised user login - El Forum - 11-26-2007
[eluser]Michael Wales[/eluser]
Don't forget to add a salt.