Ion Auth - Lightweight Auth System based on Redux Auth 2

[eluser]Aidy[/eluser]
@design_shuffle check this out

http://benedmunds.com/ion_auth/#is_group

[eluser]Lucas Alves[/eluser]
Thinking about my previous changes, and how about if an user is logged and we change his group or deactivate him. The lib is just checking the group and the user id stored in the session, so, while the session doesn't finishes, he will stay with the active and within the group that he was when he logged in.

what do you think about it?

One solution would be set the ci session expiration time with a short value, like 30 min, or 1 hour. Then, if he marked the "remember" option, when the login_remembered_user function run, it will remake the group and the active status with my previous post modification...

Another solution would be check if he's active and the group every time we run "is_group" or "logged_in". But I think it's not too good, cause it would have too many selects, and if we have some hundreds of users or a bad server it would slow down the app...

What do you think?

Sadly, I don't have access to github. I'd really like to help more...

thanks.

[eluser]Lucas Alves[/eluser]
My final solution to this was:

in the ion_auth model I created this methods:

Code:

public function check_session_validity()
{
    $this->db->where($this->tables['users'].'.id', $this->session->userdata('user_id'));
    $this->db->where($this->tables['users'].'.'.$this->identity_column, $this->session->userdata($this->identity_column));
    $this->db->where($this->tables['users'].'.group_id', $this->session->userdata('group_id'));
    $this->db->where($this->tables['users'].'.active', 1);

    return $this->db->count_all_results($this->tables['users']) > 0;
}


public function refresh_session_data(){
    $db_user_data = $this->get_user()->row();
    
    if(empty($db_user_data)){
        return FALSE;
    }
    
    if($db_user_data->active == 0){
        return FALSE;
    }
        
    $this->session->set_userdata($this->identity_column, $db_user_data->{$this->identity_column});
    $this->session->set_userdata('group_id', $db_user_data->group_id);
    $this->session->set_userdata('group', $db_user_data->group);
    
    return TRUE;
}

and in the constructor of the library, after check remembered, I put this code

Code:

//auto-login the user if they are remembered
if (!$this->logged_in() && get_cookie('identity') && get_cookie('remember_code'))
{
    $this->ci->ion_auth_model->login_remembered_user();
}
//check if the data in the session is equal to database data
elseif($this->logged_in() && !$this->ci->ion_auth_model->check_session_validity())
{
        //try to refresh the session data
    if(! $this->ci->ion_auth_model->refresh_session_data()){
                //oh, I can't update the session. Probably the user was deactivated
        $this->logout();
    }
}

What do you think?

As I said, I don't have access to github, but I'll try to get this friday at home...

[eluser]loosetops[/eluser]
Did you couple that code with a timeout value so as not to overload the db with calls?

[eluser]Paul Huu[/eluser]
Hey Ben, it turned out to be a very simple. $this->form_validation->run() always returned false because of how you loaded the 'login' view.

Code:

if (!$this->ion_auth->logged_in()) {
            //redirect them to the login page
            redirect('auth/login', 'refresh');
        }

Using $this->load->view('auth/login', 'refresh'); solved the problem for me.

Your example controller & views just didn't work right out the box for me. The other forms are broken, too, but solved in a similar fashion.

And thank you for writing this beautiful authentication library. =]

[eluser]Lucas Alves[/eluser]
[quote author="loosetops" date="1281601708"]Did you couple that code with a timeout value so as not to overload the db with calls?[/quote]

The problem with change the session timeout is that if an user doesn't check "remember me", he will disconnect when the session reachs the timeout. An another problem is that if I need to deactivate an user that is logged, he will stay logged in until the session expire. And the same problem if I change the user group.

Like I'm just doing a count, I don't think it will be a problem. Another solution?

[eluser]loosetops[/eluser]
You would use another "timeout" value(one specific to this requirement) and tuck it into the SESSION variable. So that if it is 1 hour, every one hour you check the db to see if the user is still enabled.

[eluser]Lucas Alves[/eluser]
Hmm, now I understood you. It's a good idea too, but the problem with "in real time" blocking will still bothering me

It's a requirement of my app, so... I think that some counts won't make me lose my sleep... Thank you very much.

[eluser]jsherk[/eluser]
@Lucas... I don't know enough about sessions (which is why I use Ion Auth), but is it possible to delete/destroy a users session whenever their group is changed and/or they are de-activated?

If this can be done, then upon changing their group, they would be automatically logged out and have to login again.

[eluser]jsherk[/eluser]
Looking for comments on ACL for CRUD ... My next application will require Access Control for Create Read Update Delete for each user on each page.

I really like Ion Auth, and wanted to brainstorm with everybody's comments/ideas on how to modify it to work in such a scenario. The ultimate goal would be to come up with a solution that is still "lightweight" enough to have the code actually included as part of Ion Auth. If it gets a little too "heavy" then alternatively it could become it's own library that uses Ion Auth as it's base.

I am no expert when it comes to Authorization and Access Control so all pointers would be helpful!

Thanks
Jeff