Create a forbidden page, when inputting manually the URLs

[eluser]rochellecanale[/eluser]
Hello guys, just need a little help in performing security access in my page. For example let's say we have a URL

Code:

http://localhost/myPage

it displays the index page and login. And for if the user login successfully w/o errors it redirect to his/her profile as

Code:

http://localhost/index.php/user_controller/view_member

. My problem is if you try to access the view profile manually means no process of login. It displays the entire member profile. So how can i restrict the access to prevent this? Like in .htaccess it displays the Access Forbidden.

[eluser]solid9[/eluser]
just convert your method into private.

from this,

Code:

function hello();

into this,

Code:

function _hello();

[eluser]Aken[/eluser]
[quote author="solid9" date="1352433037"]just convert your method into private.

from this,

Code:

function hello();

into this,

Code:

function _hello();

[/quote]
... which will make it unavailable to the browser, rendering it completely useless for the function it's meant for.

You'll need to perform some kind of check that the user is logged in, and if they aren't, redirect them to the login page.

[eluser]solid9[/eluser]
@aken

Thanks for clarificaiton, I think your solution is much better.

[eluser]rochellecanale[/eluser]
Hmm thanks for some suggestions so every page i have. I must to include a validation? That's a lot of work. ut i'll try it.

[eluser]Aken[/eluser]
Any page that is restricted in some way obviously needs to check for that restriction, yes. Look into using a base controller (MY_Controller) to add the functionality without needing to duplicate it to every controller you have.

[eluser]Unknown[/eluser]
Construct method in the base controller with something similar:

Code:

if  ($this->session->userdata('logged_in'))
                {
                $session_data = $this->session->userdata('logged_in');
                $data['username'] = $session_data['username'];
                }
                else
                {
                //If no session, redirect to login page
                header('Location: index.html');
                    }

Where

Code:

$this->session->userdata('logged_in')

is set after successful login.

[eluser]boltsabre[/eluser]
A couple of options, depending on your set up.

If you just have one controller that is restricted I'd just put your code into the constructor as mentioned above, that way every method of that controller becomes restricted.

If you have a handful of controllers that are restricted then you could either:
1. Isolate that code into a helper and in each restricted controller call that helper in the constructor, or...
2. As per Aken extend your base controller with MY_Controller, extend MY_Controller by another class called, for example, "MY_Restricted_Controller (and put your restriction code in it's contructor), and then have any restricted controllers extend MY_Restrcited_Controller rather than CI_Controller or MY_Controller