Login

11-26-2007, 05:06 AM

[eluser]morph london[/eluser]
Hi I am very new to CodeIgniter and I am very impressed with what I have seen so far. Now my first CodeIgniter project involves a simple cms. I have been searching for a standardized way of

a) Creating a login page (email, password) from a database.
b) A piece of code I can add to each page that is "protected" that will redirect to the login page.

I was quite surprised in the documentation that there seems to be no way built into CodeIgniter to do this out of the box. Is there a standard was of achieving this? or is there a method anyone could recommend as being secure?

Also in my attempts to create such a page I have come across an issue with the Validation library. When I validate the password field and md5 it in the process, if the user has not entered a valid email it bounces back to the login page but the password field contains the md5 hash. I would like it to contain the original string.

Thanks for your help.

11-26-2007, 05:48 AM

[eluser]stevepaperjam[/eluser]
I've had success with DanFreak's FreakAuth, which is built for CI.

11-26-2007, 06:16 AM

[eluser]morph london[/eluser]
Thanks for the link I will check it out. The site has to be secure so do you know if this is secure code. What I am ideally looking for is adding CI to my 'Toolkit' as it were and I don't want to find out down the line I am using code that I will have to go and amend.

11-26-2007, 09:09 AM

[eluser]stevepaperjam[/eluser]

Quote:do you know if this is secure code

So far I've only used it as part of a blog-type thing for the admin section, but I'm planning on using it as part of a shopping cart site.

I've not done any security testing myself, but you might be able to glean some further info from this thread.

11-26-2007, 09:17 AM

[eluser]stevepaperjam[/eluser]
...and there's also Erkana , not tried it myself: looks good tho...

11-26-2007, 10:00 AM

[eluser]Phil Sturgeon[/eluser]
CI can do this out of the box.

Model

Code:
function checkLogin($username, $password){

$this->db->where('username', $username);

$this->db->where('password', $password);

$query = $this->db->get('users');

$user = $query->row();

$this->session->set_userdata('userid', $user->userid);

return ($query->num_rows() > 0);

}

Controller Check

Code:
if(!$this->session->userdata('userid')) redirect('user/login');

User Auth is an INCREDIBLY simple thing, its just bloated by extra things such as forgot password, activation, user management, banning, etc. A full user auth system in CI can be done with 2 methods, 1 model and the simple piece of code above.

I would avoid FAL like the plague for a small project, but it can come in handy if you strip it RIGHT down to the bones.

11-26-2007, 10:48 AM

[eluser]morph london[/eluser]
Ok cool thats exactly what I wanted. Now back to the other issue I am having. So looking at the validation Library it demonstrates the validation for a password field using md5. So I assume it is better to store a password as md5 for security, then compare it from there.

Now in the below code taken from the docss:

function index()
{
$this->load->helper(array('form', 'url'));

$this->load->library('validation');

$rules['username'] = "required";
$rules['password'] = "required";
$rules['passconf'] = "required";
$rules['email'] = "required";

$this->validation->set_rules($rules);

$fields['username'] = 'Username';
$fields['password'] = 'Password';
$fields['passconf'] = 'Password Confirmation';
$fields['email'] = 'Email Address';

$this->validation->set_fields($fields);

if ($this->validation->run() == FALSE)
{
$this->load->view('myform');
}
else
{
$this->load->view('formsuccess');
}
}

If the user leaves out their email address this then fills the password field with a md5 instead of their original string.

11-26-2007, 11:11 AM

[eluser]Phil Sturgeon[/eluser]
You are close.

Code:
function index()

{

    $this->load->helper(array(’form’, ‘url’));

    $this->load->library(’validation’);

    $rules['username'] = 'required';

    $rules['password'] = 'required';

    $rules['passconf'] = 'required|matches[password]';

    $rules['email'] = 'required|valid_email';

    $this->validation->set_rules($rules);

    $fields['username'] = 'Username';

    $fields['password'] = 'Password';

    $fields['passconf'] = 'Password Confirmation';

    $fields['email'] = 'Email Address';

    $this->validation->set_fields($fields);

    // Populate a data variable

    foreach(array_keys($fields) as $field):

        $data[$field] = $this->input->post($field);

    endforeach;

    if ($this->validation->run() == FALSE)

    {

        $this->load->view('myform', $data);

    }

    else

    {

        // Encrypt their password before submitting (do this in the model if you preffer

        $data['password'] = md5($data['password']);

        $this->user_model->addUser($data);

        $this->load->view('formsuccess', $data);

    }

}

Notice the improved validation rules to make sure passwords match and the email is forced to be a valid email.

Also notice the loop that will grab data from post and put it into a $data variable so you can pass it to your model. We then replace the users submitted password with a md5 hash.

Registration complete!

11-26-2007, 11:32 AM

[eluser]Rick Jolly[/eluser]
pyromaniac - You've just created another auth library! Maybe call it pyroauth and create a support thread.

11-26-2007, 11:35 AM

[eluser]Michael Wales[/eluser]
Don't forget to add a salt.