Welcome Guest, Not a member yet? Register   Sign In
User Authentication - Placement of code?
#1

[eluser]RyanH[/eluser]
I realize there are libraries out there (such as ErkanaAuth) that do this for you. However for the purposes of learning I'm trying to create some user authentication of my own. I'm not doing this in the form of a library but rather just placing the code into the controllers/view files. That being said, this brings me to my question. How do you setup your files and the placement of your code?

For example, I have a login page (login controller) that requires only an email and a password. The login controller, within the index function, validates the fields and then checks the database to see if the email and passwords match and if they do, redirects them to a login_complete view file. If it fails, it reloads the login page.

I've also added sessions into the mix and so far they seem to be working fine. However, what I'd like to know is what code to use, and where to place it (view files or controllers), that checks to see if the user is logged in, and if not, displays the login page. Essentially right now my login_complete page looks basically like this:
Code:
<? if(!$this->session->userdata('session_id'))
        {
            redirect('login', 'location');
         } else {
                echo 'Welcome ' . $this->session->userdata('session_id') . ' (Logout)';
        }
                // HTML/page information goes here
        ?>
Am I setting this up the wrong way? If so, what would be a better way? How would I set it up to use a logout function? Do I put a function in the login controller file?

Thanks. Smile
#2

[eluser]dawnerd[/eluser]
You're doing it correct, however it's not very secure. Ideally you would store the session in a database and use unique hashes to check if the user is actually who they say they are.

To log the user out, just destroy the session.

Like I said before, basing it only off session id's is just asking to be hacked.
#3

[eluser]RyanH[/eluser]
[quote author="dawnerd" date="1200962457"]You're doing it correct, however it's not very secure. Ideally you would store the session in a database and use unique hashes to check if the user is actually who they say they are.

To log the user out, just destroy the session.

Like I said before, basing it only off session id's is just asking to be hacked.[/quote]Thanks. I am actually storing the session information in the database, this was just an example. However, what would be a more secure way to check to see if the user is who they say they are?

Where would the code go to destroy the session?

Also, is there a way to modify the CI code to allow for the storing of custom information, such as usernames or what have you? The user guide says that you can use the information but upon reading the Wiki and searching the forums it appears that you can't, at least currently, store anything beyond the standard session information in the database.
#4

[eluser]Eric Cope[/eluser]
I am not sure if this is what you are looking for, but you can store variables in the session this way:

Code:
$session_data["var1"] = $var1;
...
$session_data["varN"] = $varN;
$this->session->set_userdata($session_data);
#5

[eluser]RyanH[/eluser]
According to the user guide, you can use an array, such as this:
Code:
$userdata = array('key' =>$this->validation->email, 'key2' => $this->validation->something);
$this->session->set_userdata($userdata);

// Or you can do it manually:

$this->session->set_userdata('email', $this->validation->email);
I suppose the way you're suggesting would work too though I haven't tried it. The method I just listed I have tried and it didn't store anything.
#6

[eluser]Pascal Kriete[/eluser]
The method mentioned above is the same as the array method you outline, only split up into multiple lines.

That said, unless you have used set_fields, $this->validation->whatever won't exist.
Since the post data is overwritten when the validation runs you could try:
Code:
$this->session->set_userdata('email', $this->input->post('email'));
#7

[eluser]ekeretex[/eluser]
Hi Ryan,
Why not do the redirection in the controller?
Either at the beginning of the class method or in the constructor if you need it to apply to all the methods/pages in that class.

Technically, authentication is not a view function.
#8

[eluser]RyanH[/eluser]
[quote author="inparo" date="1200970502"]The method mentioned above is the same as the array method you outline, only split up into multiple lines.

That said, unless you have used set_fields, $this->validation->whatever won't exist.
Since the post data is overwritten when the validation runs you could try:
Code:
$this->session->set_userdata('email', $this->input->post('email'));
[/quote]The set_fields(); has been set, so this should work, yet it's not and I'm not sure why. However I will try the other method you tried. Is this any less secure?

[quote author="ekeretex" date="1200970502"]Hi Ryan,
Why not do the redirection in the controller?
Either at the beginning of the class method or in the constructor if you need it to apply to all the methods/pages in that class.

Technically, authentication is not a view function.[/quote]Could you elaborate a bit more on this, please? I'm certainly open to improving my code but still learning CI. As such, I'm not sure how you would put the code in the controller as opposed to the view file?
#9

[eluser]ekeretex[/eluser]
Using a profile page as an example:
In the controller:
Code:
class Account extends Controller {

  public $data;
  
  function profile(){    

    $this->data['session_id'] = $this->session->userdata('session_id');

    //pass the session_id into a view variable (assuming the name is stored there as per your example)
  
    if (empty($this->data['session_id'])) {

      redirect('login');

      exit(); //optional
    }
    //rest of controller code goes here
  }
}
and in the view:
Code:
<p>Welcome &lt;?php echo $session_id; ?&gt;</p>

//rest of your html page here

The difference here is that the view file is not making decisions just displaying data passed to it from the controller.

To apply to all the functions in a class, put in the constructor e.g.
Code:
class Account extends Controller {  
    
    public $data;

    function __construct() {

      parent::__construct();

      $this->data['session_id'] = $this->session->userdata('session_id');

      if (empty($this->data['session_id'])) {

        redirect('login');

        exit(); //optional
      }
    }

    function profile() {  
      //controller code goes here
    }
}

Of course 'login' will have to be in a different class to avoid an infinite loop.
#10

[eluser]RyanH[/eluser]
I tried your method, but a bit modified and I got this error:
Error Wrote:Fatal error: Can't use method return value in write context in /home/.sera/thirdnet/thirdwatchnet.com/erbooks/system/application/controllers/home.php on line 12
This is the code that I have:
Code:
class Home extends Controller{
    
    function Home()
    {
        parent::Controller();
    }
    
    function index()
    {
        if(empty($this->session->userdata('session_id')))
        {
            $this->load->view('login_view');
            exit();
        }
    }
}
What did I do wrong?




Theme © iAndrew 2016 - Forum software by © MyBB