[eluser]Unknown[/eluser]
Hello! I needed a single user simple but also effective authentication gate for a website I'm working on. After browsing around I came to the following solution.
1) Name all CMS controllers with "cms" prefix (cms_people, cms_places etc.)
2) Root level .htaccess Mod_rewrite to remove index.php from URL
3) Same .htaccess Auth to protect CMS controllers (files, even if they're pulled in by index.php):
Code:
RewriteEngine on
RewriteCond $1 !^(index\.php|resources|robots\.txt)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]
<Files cms*>
AuthUserFile /path/to/.htpasswd
AuthName "Login to CMS"
AuthType Basic
Require user username
</Files>
4) For extra security, I created a custom controller CMS_Controller in /core from which I subclassed the cms* controllers, which blocks everything if no $_SERVER['PHP_AUTH_USER'] is set:
Code:
<?php defined('BASEPATH') OR exit('No direct script access allowed');
class CMS_Controller extends CI_Controller {
function __construct()
{
parent::__construct();
$CI =& get_instance();
if (!isset($_SERVER['PHP_AUTH_USER'])) exit();
}
}
The code for pulling in any /core controller is somewhere on the web (append to config.php):
Code:
function __autoload($class) {
if (strpos($class, 'CI_') !== 0)
{
if (file_exists($file = APPPATH . 'core/' . $class . EXT)) {
include $file;
}
elseif (file_exists($file = APPPATH . 'libraries/' . $class . EXT)) {
include $file;
}
}
}
It looks like working properly, both on local and remote. I wanted to ask better experienced users if they see any security flaw in such procedure - if yes why and where. If the system is good I hope that other members can take advantage of it.
Thank you!
