how to secure an admin backend?

[eluser]Unknown[/eluser]
hey

i'm an experienced php programmer and have some OO knowledge, but i'm new to CI, and have a wee problem.

i've been asked to maintain and expand an existing site that is powered by CI. i've been doing ok so far and have managed to expand on the existing CRUD-style admin section and have added a few ci-powered public pages with CRUD admin pages backing them up

however, there's an inherent security flaw in the web app's existing adminsection - it's not password protected in any way :o

could anyone point me in the direction if a tutorial or a set of libraries that do such a thing? from what i can see, 'sentry' looks like an option, but does anyone on here have any ideas about achieve to do this?

if it helps explain the situation, code for the public pages is contained within the usual folders:

application/controllers/
application/views/modules/

(there are no models)

furthermore, the application/views/ folder has a file called loader.php in it:

Code:

<?php

    $this->load->view('layout/header');
    $this->load->view('modules/'.$module.'/'.$view_file);
    $this->load->view('layout/footer');

?>

the admin section's files are contained in:

application/controllers/admin/
application/views/admin/modules/

again, the application/views folder has a admin.php in it:

Code:

<?php

    $this->load->view('admin/layout/header');
    $this->load->view('admin/modules/'.$module.'/'.$view_file);
    $this->load->view('admin/layout/footer');

?>

also, for example, the public 'news' page is available via the url /index.php/news

the admin section for the 'news' page is available via the url /index.php/admin/news

all this seems to work fine, apart from the lack of any security on the admin pages...

is there any way of adding directory security to the admin pages?

i know htaccess is out of the question because its not really a folder-level security system i need to implement, but even something as rudimentary as that would suffice, as there is no requirement for users to register themselves or change their details...

any ideas?

[edit]forgot to mention - its running CI version 1.5.4[/edit]

[eluser]adamp1[/eluser]
Your best bet is FreakAuth. Its simple and has many features to customize it. There are others out there but they require alot more work.

I would say try my BackendPro web control panel but its still being made and not sure If I want the code released yet.

The other advantage of FreakAuth is its been used alot before, in version 1.1 now so the code is sound. As I said its been used alot so there's lots of help on the forum.

[eluser]xwero[/eluser]
A simple session check does wonders

Code:

class Somecontroller extends Controller
{
   function Somecontroller()
   {
      if(!$this->session->userdata('userid'))
      {
         redirect('somecontroller');
      }
   }

   function index()
   {
      if($this->input->post('login'))
      {
        if($this->model->usercheck())
        {
          redirect('somecontroller/logged');
      }
      $this->load->view('loginform');
   }
  
   // other functions

}

the model needs to be loaded but i think it gets you started.

Do a search for authentication libraries there are a few around so you won't have to write the code from scratch.

[eluser]Unknown[/eluser]
thanks for your response

i downloaded FreakAuth and have managed to get that up & running! i've had to tweak a bit of the config to make it work exactly as i need:

i created a superadmin, for myself, and then created a standard 'user' for the person updating the site's content to use. i then disabled new registrations, removed a few extraneous links from the FreakAuth login screen, and then disabled the FreakAuth admin controllers to stop the user account accidentally getting into it (i can easily enable the controller again via ftp if needs be)

it seems to be working a treat so far, so thanks for all your help