Welcome Guest, Not a member yet? Register   Sign In
Needed: Summary of Security and Sessions versus standard PHP
#1

[eluser]Unknown[/eluser]
Hello all,

In apps I am working with the username and password are compared against the db and if a match is found a $_SESSION variable is set (say for example $_SESSION['logged_on']). Then in each module/page that variable is checked and if false the user is redirected to the home page. How would this be done in CI? CI does not use the native PHP sessions.

I imagine it is a rather simple thing to run the query to look for a hit, but how then do you insure that the user can see no pages other than the home page unless logged on? I am trying to get my head around all of this so I can port the app to CI.

Thanks,

Scott
#2

[eluser]Lick[/eluser]
LoginPage:
Code:
class MyLoginPage extends Controller {

   function MyLoginPage () {
      parent::Controller();

      $this->load->library('session'); // use this or Auto-Load

      if ( /* valid user login */ ) {
          $this->session->set_userdata('logged_in', TRUE);
      }
   }
  
   ...
}

SecretPages:
Code:
class MySecretPage extends Controller {

   function MySecretPage() {
      parent::Controller();

      $this->load->library('session'); // use this or Auto-Load

      if ($this->session->userdata('logged_in') !== TRUE) {
          redirect(site_url());
      }
   }
  
   ...
}

I'm pretty new to CodeIgniter so this might totally not work, at all.
#3

[eluser]Rick Jolly[/eluser]
[quote author="lsat" date="1183708518"]Hello all,
...CI does not use the native PHP sessions.
[/quote]

You can use native sessions if you like. I do.
#4

[eluser]Unknown[/eluser]
[quote author="Rick Jolly" date="1183712756"]You can use native sessions if you like. I do.[/quote]

Could you give a brief example of how you use native PHP sessions in CI?
#5

[eluser]Rick Jolly[/eluser]
Php native sessions based on Lick's example.

LoginPage:
Code:
class MyLoginPage extends Controller
{
   function MyLoginPage()
   {
      parent::Controller();
      session_start();
   }

   function index()
   {
      if ( /* login form submitted */ )
      {
          if ( /* valid user login */ )
          {
              $_SESSION['logged_in'] = true;

              // redirect to secure page..
          }
          else
          {
             // set login error message
          }
       }
      
       // load the login view
   }
}

SecretPages:
Code:
class MySecretPage extends Controller
{
   function MySecretPage()
   {
      parent::Controller();
      session_start();

      if (empty($_SESSION['logged_in']))
      {
          // redirect to login page
      }
   }
  
   ...
}

You could make "MySecretPage" a parent to all secure controllers. That way for every secure controller, you'd just extend "MySecretPage" and no additional authentication checks would be necessary:
Code:
include(APPPATH . '/controllers/my_secret_page.php');

/* This controller is secure because the authentication
   check is done in MySecretPage's constructor */
class ChildSecretPage extends MySecretPage
{
   function ChildSecretPage ()
   {
      parent::MySecretPage();
   }
  
   ...
}
#6

[eluser]Dr.Dan[/eluser]
[quote author="Rick Jolly" date="1183716417"]Php native sessions based on Lick's example.

You could make "MySecretPage" a parent to all secure controllers. That way for every secure controller, you'd just extend "MySecretPage" and no additional authentication checks would be necessary:
Code:
include(APPPATH . '/controllers/my_secret_page.php');

/* This controller is secure because the authentication
   check is done in MySecretPage's constructor */
class ChildSecretPage extends MySecretPage
{
   function ChildSecretPage ()
   {
      parent::MySecretPage();
   }
  
   ...
}
[/quote]

That's Nice One!! :coolsmile:




Theme © iAndrew 2016 - Forum software by © MyBB