Welcome Guest, Not a member yet? Register   Sign In
Should session data be handled in the view?
#1

[eluser]Unknown[/eluser]
Hi guys, I've recently been learning php and codeigniter by doing a simple login/register project. I've never encountered the MVC model before so I'm still trying to grasp it.

Within my header view file I am checking to see if the user is logged in so I can make the navigation page dynamic. e.g. If they are logged in show the UserCP and Logout buttons otherwise show Login and Register buttons. However should I be checking this in the controller or model?

Here is my code for the header file:
Code:
<html>
<head>
<style type="text/css">
  a {margin: 0 5 0 5;}
</style>
<title><?php echo $title; ?></title>
</head>
<body>
<?php
echo anchor('', 'Home');

if($this->session->userdata('logged_in') == TRUE)
{  
  echo anchor('usercp', 'User CP');
  if($this->session->userdata('admin') == TRUE)
  {
   echo anchor('admincp', 'Admin CP');
  }
  echo anchor('users/logout', 'Logout');
  echo 'Welcome '.$this->session->userdata('nickname');
}
else
{
  echo anchor('create', 'Create User');
  echo anchor('login', 'Login');
}


?>

<hr>
#2

[eluser]skunkbad[/eluser]
The way I do it is probably close to the way other people are doing it.

When the user logs in, there is at least one query to the database, and some of that data gets put into a cookie, but is also loaded as a variable. Since cookie data is not available on the same request as it was set, you need that variable. I create the variable using $this->load->vars() in MY_Controller.

In the main template, I can just check if that variable exists, and if it does/doesn't, then I know to offer the login/logout option.

Note, this variable is not used for authentication. At least for me, authentication is in a secure cookie, and the user needs to know if they are logged in on pages that are not HTTPS. That's the reason for the second (non secure) cookie.
#3

[eluser]Unknown[/eluser]
That makes sense, thanks for the help skunbad.

Another question:
I currently have a secure session that is saved on the database, is it safe to store a boolean stating if the user is an admin or not? I have little experience with this sort of thing so do not know if it would be easy for an attacker to change the boolean within that session to say that they are an admin or it's near impossible for them to do so.

Cheers.
#4

[eluser]skunkbad[/eluser]
I think what you are going to find, especially if you reuse code for other projects, is that you are going to want to have multiple user levels or roles. Having just an admin and "everyone else" is pretty restrictive. In Community Auth, the user levels are totally customizable, and are represented by an integer value in the user table. Admin for the default install is user level 9, but it could be 99 or 999 or whatever. The levels themselves are stored in a config file.
#5

[eluser]cartalot[/eluser]
>Within my header view file I am checking to see if the user is logged in so I can make the navigation page dynamic. e.g. If they are logged in show the UserCP and Logout buttons otherwise show Login and Register buttons. However should I be checking this in the controller or model?

a great example of what a "controller" does and why. so yeah -- that kind of 'if this condition, show this page' logic goes in the controller.

when you need to find out if they are a member -- thats what the "model" is about. in that case the model would query a database or a list
and say return a member id, or return false if they aren't registered.




Theme © iAndrew 2016 - Forum software by © MyBB