Question about security (or how to do a private section)

[eluser]Iván Argulo[/eluser]
Well, I have to add username and password validation to a specific group of controllers.

I have the following:

Folder controllers/admin (so, its URL is myapp.com/admin)

Then, in a pre-controller event I do this:

Code:

$segment = $this->uri->segment(1);

if ($segment == 'admin')
    redirect('admin/login');

Is this safe enough?

Thanks in advance

[eluser]TheFuzzy0ne[/eluser]
No. Ideally, should should store the admin level/status in an encrypted cookie, and use that. That way you're virtually guaranteed that a user cannot access the admin section unless you've specifically set their admin level to do so. Obviously, the admin level will be set when they login, and ideally, it should be refreshed from the database for each subsequent request, to account for when you remove admin privileges; otherwise you'll find that even when you demote an administrator, they will still keep their credentials until they log out (if they ever do).

[eluser]bigtony[/eluser]
The way I approach it is as follows:

1. Create a 'login' controller & view. This will validate username & password and set a session variable (e.g. set 'logged_in' to= '1').

2. Create a helper with a couple of functions:
(a) is_logged_in() - returns true or false depending on session variable.
(b) ensure_logged_in() - calls is_logged_in() and if false redirects to the login controller.

Code:

function is_logged_in() {
    $CI =& get_instance();
    if ($CI->session->userdata('logged_in') == '1'):
        return TRUE;
    else:
        return FALSE;
    endif;
}

function ensure_logged_in() {
    if (! is_logged_in()):
        redirect('login');
    endif;
}

3. In each controller that needs to be restricted, call the ensure_logged_in() function in the _remap() method of the controller.

Code:

function _remap() {
    ensure_logged_in();
    $this->index();
}

I also recommend using database sessions to increase security a bit more.

[eluser]Iván Argulo[/eluser]
Very good solutions, for a more complex project.

Here we only have 1 user, and the cookie is stored in the database.

But thanks for your suggestions, it gives me lots of thinks to do

Thanks both you

[eluser]TheFuzzy0ne[/eluser]
Do you have a static IP? At the very least you might be able to authenticate admins by IP, but I would still suggest that you make it as secure as you can, since you never know who's going to figure out how it works. Even using an htpasswd file for authentication will be more secure than you're proposed solution.

[eluser]Iván Argulo[/eluser]
Well, the only way to gain access to this controllers is to alter the cookie (stored in the database), because every time you access every controller in the admin folder, for example, it checks the cookie value and redirect if you're not logged in.

I'm trying to figure out how to break this, if possible... But I'm not experienced enough in cracking such a validation; I just can do basic SQL Injection or XSS...

[eluser]devbro[/eluser]
What I did for my project was to extend the Controller to a new one called MY_Controller_admin.
the new controller would do the authentication and if failed redirect to login page. it saved me typing the code in all admin controllers.

As for the ways I know to crack it is to steal the session cookies. There are two ways to limit that:
1. grab the IPs on each request and compare to geoIP. if too far then expire the session
2. put a limit on each session (10min?) so no activity causes the session to cancel.

[eluser]Zack Kitzmiller[/eluser]
[quote author="TheFuzzy0ne" date="1248112133"]No. Ideally, should should store the admin level/status in an encrypted cookie, and use that. That way you're virtually guaranteed that a user cannot access the admin section unless you've specifically set their admin level to do so. Obviously, the admin level will be set when they login, and ideally, it should be refreshed from the database for each subsequent request, to account for when you remove admin privileges; otherwise you'll find that even when you demote an administrator, they will still keep their credentials until they log out (if they ever do).[/quote]

I completely disagree with this. Leaving this information in an cookie, even with encryption, is not completely safe and could be broken.

I always use encrypted tokens (user_id|user_level|timestamp), and save them in PHP sessions. This is far more secure than storing any information on the client side.

[eluser]bigtony[/eluser]
Deleted post (may have written something incorrect).

[eluser]TheFuzzy0ne[/eluser]
[quote author="techneke" date="1248122728"]
I completely disagree with this. Leaving this information in an cookie, even with encryption, is not completely safe and could be broken.[/quote]

Hmmm. I feel a wager coming on here. Are you saying that if I give you some encrypted cookie data, you can decrypt it? I'd be very interested to see that...