Implementing secure controllers/pages in Codeigniter |
[eluser]Christopher Imrie[/eluser]
Quote:This is an extract from a blog article I wrote, but brought the code and essential description here in case someone finds it useful A common need amongst web applications is the need for password protected areas of your web application. Coming up with a good security structure within CodeIgniter can be tricky for those new to the framework since there is no clear method to doing so. The model I have developed has the following features: * Supports both secure and unsecure controllers (for public areas of your site) * No modification of core files * CodeIgniter library can be upgraded with new releases without breaking the security model * Un-authenticated URL requests are intercepted, shown a login screen, then redirected to the original URL * Controllers are kept "security code" free. Transparency The method I show you here is very transparent in its implementation. The security is loaded silently in the background and your controllers only need three characters added to them in order to inherit the protection for the security system. Therefore you can work in any CodeIgniter controllers without any extraneous security code getting in the way. Keeping things as secure as possible In order for the method I show you to have the best security, make sure you have the following setup: * Session library is autoloaded (More info) * Session data is saved to the database (More info) * Session data is encrypted in your session preferences (More info) How it works The system works by extending the CodeIgniter Controller class and having any secure controllers extending from this new class. Therefore make sure that in your preferences you have set your Class Extension Prefix to the following (this is the default, so it probably wont have changed): Code: $config['subclass_prefix'] = 'MY_'; This will allow us to have the custom controller loaded automatically by CodeIgniter on each page load. Custom Controller Here is the first file, it is a custom controller that extends the default controller file. I have commented it as extensively as I can and pointed out where you need to add your own customized code. You need to save this file as MY_Controller.php and place it in your ./system/application/libraries/ folder. Code: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); Creating a secure controller Now that this controller class has been setup, the act of creating a secure controller is a breeze: Code: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); Note the "extends MY_Controller" keywords. This ensures that the security is enforced.
[eluser]Christopher Imrie[/eluser]
Login Controller For clarity I have also included the login controller that functions as the login screen. This file is to be named login.php and placed in your ./system/application/controllers/ folder. Code: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); This is a very bare bones login controller but it will do the trick very nicely and crucially sets up some session userdata that is checked by the custom controller I showed you above. Simply create a view named login_view.php (or modify the code above to suit your naming structure) and have this show a form with username and password fields. You will also need to fill in the _verify_username_password() method with your own verification code and then return TRUE/FALSE to indicate a successful username & password match. Hope someone finds this handy, since it allows you to work on your web app with the security being as transparent as possible in your controllers.
[eluser]cryogenix[/eluser]
this is nice. i think i might give it a try sometime. one thing though (and I don't mean to pop your bubbles), but, why try to reinvent the wheel? aren't there alot of auth solutions here already? i currently am using ION auth btw. and here's the way I use it: http://ellislab.com/forums/viewthread/149476/#773561 cheers. my 2 cents worth...
[eluser]Christopher Imrie[/eluser]
@cryogenix thanks. I know what you're saying about reinventing the wheel, totally agree that you will probably hit the ground running much faster if you go with Ion Auth. Especially so when you consider it handles password encryption and user handling. Just wanted to show that its not that tricky to implement a reasonably secure security model in CI. I just eventually ended up using this method after many different attempts at a nice easy to use security model, and have since saved it as a standard library to use with all my projects. I've fleshed it out with my own user handling methods and custom password handling, so I know it inside out. |
Welcome Guest, Not a member yet? Register Sign In |