[eluser]TheFuzzy0ne[/eluser]
Welcome to the CodeIgniter forums!
I think you should take a look at the existing auth libraries out there, and apply what you see to your HMVC module. You login model is generating a random salt each time, which isn't going to help, since the SHA-1 hash will be different each time. The salt should be generated
once only -- when the account is first created. It then needs to be stored in the database.
Also, I would suggest you move most of that controller logic into you model. Your model can handle everything, including locking down the login functionality for someone who has tried to login with the wrong credentials more than x number of times.
Essentially, your controller might look something like this:
Code:
class Login extends MX_Controller {
function index()
{
$this->load->library('form_validation');
$this->form_validation->set_rules('username', '', 'callback_try_login');
// If validation passes, redirect to the admin panel...
if ($this->form_validation->run())
{
redirect('/admin');
}
// ... Otherwise, load the view.
$this->load->view('login_view');
}
function logout()
{
// Just unset the user ID, and redirect back to the login page.
// You may want to set a flash data message here to display to the user.
$this->session->unset_userdata('user_id');
redirect('/login');
}
function try_login()
{
$username = $this->input->post('username', TRUE);
$password = $this->input->post('password', TRUE);
// Do we have both a username and a password?
if ( ! $username OR ! $password)
{
$this->form_validation->set_message('try_login', 'Username and password are required!');
return FALSE;
}
// Were we able to log the user in?
if ( ! $this->login_model->do_login($username, $password))
{
$this->form_validation->set_message('try_login', 'Invalid username and/or password!');
return FALSE;
}
return TRUE;
}
}
And your model might look something like this:
Code:
class Login_model extends CI_Model {
public $allowed_failed_logins = 3;
function try_login($username = '', $password = '')
{
// Try to get the user from the database.
$user = $this->db
->select('id, username, password_hash, salt, failed_logins')
->where('username', $username)
->get('users');
// If we don't have a user, halt in ze name of ze law!
if ( ! $user)
{
return FALSE;
}
// Check that the number of allowed failed logins hasn't been exceded.
if ($user['failed_login'] > $this->allowed_failed_logins)
{
return FALSE;
}
// Does the password has match the one in the database?
if ($user['password_hash'] != sha1($password.$user['salt']))
{
// Increment the failed login count again.
$this->increment_failed_logins($user['id']);
return FALSE;
}
// If we made it this far, all is well, so log the user in.
// Reset the failed login attempts if necessary.
if ($user['failed_logins'] > 0)
{
$this->reset_failed_logins($user['id']);
}
// Set some stuff.
$this->session->set_userdata(array(
'username' => $username,
'user_id' => $user['id'],
));
return TRUE;
}
function increment_failed_logins($user_id = 0)
{
$this->db
->set('`failed_logins`', '`failed_logins` + 1', FALSE)
->where('id', $user_id)
->update('users');
}
function reset_failed_logins($user_id = 0)
{
$this->db
->set('failed_logins', '0')
->where('id', $user_id)
->update('users');
}
}
The above code is untested, and thrown together in about 5 minutes.
Note how the salt is pulled from the database and used to hash the password. To log a user out, I simply unset the user_id. This can be useful in some situations, such as when you have a "remember me" checkbox on your Web site. Rather than destroying the data, we preserve it. You could take a different approach if you wanted to, and unset everything, or everything but the username. It's your call. You could also make some improvements to my code, since it was only a quick example.
Also, you should find the code is much easier to follow. In you controller, I haven't bothered validating each field separately. You can if you want, but I think it's easier to validate them both at the same time for logins.
Hope this helps.
