Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Security issue - redirect
Security issue - redirect
  • El Forum
    Guest
  •  
#1
04-09-2008, 04:23 AM

[eluser]Unknown[/eluser]
I am currently developing a cms system and I have coded my own simple Auth library.
Nothing fancy, but I wanted to check if things are secure enough.

When a user logs in, the lib sets some session attributes. One of them is "isLoggedIn" set to TRUE. This one I use in the "checkIfLoggedIn()" function.
Now; I have made a function which also checks if the user has logged in and if not; does a redirect to the login page:
Code:
function checkLogin() {
   if(!$this->isLoggedIn()) {
      $CI =& get_instance();
            
      $CI->load->helper('url');
      redirect('admin/login', 'refresh');
   }
}
On the page I want to secure I use this: (controller)
Code:
function index() {
   $this->load->library('authLib');

   $this->authLib->checkLogin();
        
    echo "Here goes the rest of the code if you have logged in.";
}
Is this way of working secure enough or do I need to provide some extra security?
  • El Forum
    Guest
  •  
#2
04-09-2008, 06:17 AM

[eluser]Vince Stross[/eluser]
This is the same way I do it and it's the same way I did it with classic ASP and some primitive ASP.NET.

However, I have always wondered if the session cookie could be manipulated in some hackerific way to trick this method. Maybe storing the session data in a database, along with this method is best. However I never liked the idea of reading the database on each and every page load unless I was actually displaying ... data! Wink

Short version: I've been using this method for years without any problem.
  • El Forum
    Guest
  •  
#3
04-09-2008, 08:22 AM

[eluser]MadZad[/eluser]
ecko,
Ditto what beyondCiv said, with a few extra thoughts from my experiences.

If your controller has multiple actions, consider putting the login check in the constructor when it makes sense. Best of all, if you're doing unit tests, be sure to hit every action without being logged in.

In some cases, I've found it useful for the login check to return true/false - just in case the controller needs to do something more than redirecting to the login page. I typically find the "login check" evolves into multiple methods over time (access levels, custom messages on login screen, that kind of stuff)

When the situation makes it feasible, I put session information into the DB. I just embrace db hits as a cost of putting up a page, mostly because I don't want anything other than an encrypted key in the cookie. One size, of course, does not fit all.

Lastly, all the standard good security precautions. Keep db credentials out of the webroot, CI also makes it easy to keep all php code (other than index.php and config) out of the webroot, make sure any controller helper methods start with an underscore.
  • El Forum
    Guest
  •  
#4
04-09-2008, 08:34 AM

[eluser]Unknown[/eluser]
Thanks for the quick replies.

I will look into improving my code along the way. I think that is the easiest way to learn CI.
Currently, I only keep my user parameters in the CI session. No cookies or something similar. I think this is good enough as the login is only needed for the admin side of things.




Theme © iAndrew 2016 - Forum software by © MyBB