[El Forum]

[eluser]mshaw087[/eluser]
Hi there,

I'm new to the forum so please go easy on me. I am creating the security for a system using the Code Igniter framework and have created a sub controller extending from the controller library (The sub controller is called MY_Controller.php). I have inherited from this controller any controller that can only be viewed by an authenticated user. In the constructor for MY_Controller it checks if the user is currently logged in and if not it redirects them to the login page. This all seems to work in Firefox, however in Internet Explorer whenever I use any address that involves using a route, the constructor for MY_Controller isn't run and therefore this check isn't happening. The consequence is an anonymous user is able to view the page that only authenticated users should be able to see. Has anyone seen this situation? Is there a resolution? I can provide more information if necessary. I hope this all makes sense.

[El Forum]

[eluser]jedd[/eluser]
Hi mshaw087 and welcome to the CI forums.

You have indeed painted an interesting picture here.

Can you please clarify - if you use any address that involves a route, and you are using FF, does it work as anticipated?

It seems a curious (read a tad unlikely) combination of server and browser side interactions here .. as the route, controller, and various other things are all happening up on the server.

My first guess would be that you authorised yourself using your IE instance, and it has retained the password. You can either try to flush cookies, memories of passwords/forms etc, or perhaps just try hitting the URL from a different machine - to really prove this out one way or the other.

When you say that MY_Controller constructor is not run - how are you ascertaining this - some echo statements, or the presence of some variables elsewhere?

[El Forum]

[eluser]mshaw087[/eluser]
Hi Jedd,
I can clarify the situation a bit more. It does indeed work as intended in Firefox. If I use the routed address, but I am an unauthenticated user, I am redirected to the login page. I have noticed this morning it only happens after I log in and log back out. This may seem like a case of cookies not being flushed, however I have indeed but statements directly in the controller. When I run a non routed address in IE, it does indeed display those statements. However, using a routed address, it does not. I hope this clarifies things a bit more.

[El Forum]

[eluser]jedd[/eluser]
Please .. call me jedd.

And a smidgen, yes.

Is this IE6 perchance? Famous for being predictably unpredictable.

It sounds like your security system is failing-unsafe. It'd be interesting to see your logout code - where you destruct your session data that is later used by your 'are we logged in?' function (also good to see that). It's possible that IE is remembering session data - I don't know what braindead features that browser had, but I have heard that it had many.

Have you tried hitting the web page from a DIFFERENT machine that has not used the site before, and using the same rev of IE? Being sure to not authenticate at all? That'd be the most conclusive test I think.

[El Forum]

[eluser]mshaw087[/eluser]
Hey Jedd,

Here is the code I have in my logout controller:

Code:

<?php

class Logout extends Controller {
    function Logout()
    {
        parent::Controller();
    }

    function index()
    {

        $this->session->unset_userdata('session_user_id');
        $this->session->sess_destroy();
        $this->load->view('login');
    }

    }


/* End of file logout.php */
/* Location: ./system/application/controllers/logout.php */

I have tried on another machine and it does the same thing. Again, though I am only able to access the page after I logged in and logged back out afterwards. What is interesting is if I insert a simple die statement in the MY_Controller constructor before any of the authentication checking, Firefox will hit it and stop, but IE doesn't execute the die statement which has lead me to believe that constructor is not running. Thanks for your help so far and any future help.

[El Forum]

[eluser]jedd[/eluser]
A couple of things to try - comment out the session destroy line for starters.

You might also want to redirect to your login controller, rather than load the login view from the logout controller.

I suspect most people would have login and logout as methods of the same controller, too, btw - I suspect your logout and login controllers are pretty spartan.

[El Forum]

[eluser]mshaw087[/eluser]
Hi again,

Unfortunately, none of the suggestions worked. Through more investigation, I have noticed that this issue is only happening with whatever page I redirect to after authenticating the user in the login controller. This still all doesn't make too much sense. As personal preference, I like to keep the login and logout controllers separate, but I don't think you're suggesting that has anything to do with the issue at hand. Any other suggestions? Let me know if you need me to post any more code to help clarify things.

[El Forum]

[eluser]brianw1975[/eluser]
you say you extended Controller with MY_Controller but yet your posted code is

Code:

<?php

class Logout extends Controller {
    function Logout()
    {
        parent::Controller();
    }

care to try again?

ps. don't worry, I made the same mistake when I first extended Controller

[El Forum]

[eluser]mshaw087[/eluser]
Hi brianw1975,

I said all controllers that require authentication extend from MY_Controller. Logout doesn't extend from it since it simply clears the session data and redirects you to login anyways. But the page that is being routed to does extend MY_Controller.

[El Forum]

[eluser]brianw1975[/eluser]
In that case, delete all cached files on the server and clear the cached files in ie6, or force a complete reload (ctrl_shift-f5)

Other than cached files, there is no reason for ie6 to have this issue and other browsers not. (plus I have noticed that IE6,7 and 8 tend to adhere to locally cached files and expiration times like an infant sucking its thumb when compared to FF and other browsers)