Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Non obtrusive authentication idea...
Non obtrusive authentication idea...
  • El Forum
    Guest
  •  
#1
12-08-2010, 04:06 AM

[eluser]sikko[/eluser]
Hi all,

I am trying a new way of protecting my application which requires authentication:

I used to check if the session was set in every method that should be protected (using a if) - which is a bit annoying to do for every method.

Here is the idea: instead of using a if in every method I use a hook, and check the current controller/method to see if it is in a predefined array containing my protected controllers/methods.

The array looks like this:
Code:
$protectedControllers = array(
        'programme' => '*',
        'school'    => array('create', 'delete'),
        'coach'     => '*'
    );
It says "protect the whole programme and coach controllers, and protect the create and delete method from school controller".

Here is the entire method used by the hook:
Code:
function getAuthorization(){
    $ci =& get_instance();

    $protectedControllers = array(
        'programme' => '*',
        'school'    => array('create', 'delete'),
        'coach'     => '*'
    );

    // if the current controller is protected
    if(array_key_exists($ci->router->class, $protectedControllers)){
        
        //if we want to protect the whole controller
        if($protectedControllers[$ci->router->class] == '*'){
            if($ci->session->userdata('logged') == null){
                redirect('user/login');
                exit; // exit after redirect: seems to be useless but it makes sure that no further code is executed
            }
        }

        //if we want to protect just specific methods
        if(is_array($protectedControllers[$ci->router->class])){
            if(in_array($ci->router->method, $protectedControllers[$ci->router->class])){
                if($ci->session->userdata('logged') == null){
                    redirect('user/login');
                    exit; // exit after redirect: seems to be useless but it makes sure that no further code is executed
                }
            }
        }
        
    }
}

The used hook is post_controller_constructor:
Code:
$hook['post_controller_constructor'] = array(
                                'class'    => '',
                                'function' => 'getAuthorization',
                                'filename' => 'my_hooks.php',
                                'filepath' => 'hooks',
                                'params'   => array()
                                );
And obviously hooks enabled in config file:
Code:
$config['enable_hooks'] = true;

My question is: Is that a secure way to do this, and... is it crackable ?

Thanks for your help Smile




Theme © iAndrew 2016 - Forum software by © MyBB