Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Best coding practice for an admin login
Best coding practice for an admin login
  • El Forum
    Guest
  •  
#1
06-06-2008, 02:40 AM

[eluser]Bramme[/eluser]
Hi all

I'm porting a website I made with Smarty to CI. The frontend is nearly finished and now I'm working on the backend, my routing problem is solved, but now I'm having another problem.

The website uses a basic custom backend, but I'm wondering how I would approach the login form.

I could just check for a set log in session in my view and then decide wether to display the correct admin page, or the login form, but that doesn't sound too safe because the controller won't be checking if a user is logged in... I was wondering if there was a way to check in the constructor of my controller if the user was logged in and if not redirect all load->views to the login form, but I have no idea how to do that.
I guess I could also extend the load->view function, rewriting it so it checks for the session etc etc etc.

I'm pretty sure there's loads of people around here who have more experience with this, anybody got some tips?
  • El Forum
    Guest
  •  
#2
06-06-2008, 03:56 AM

[eluser]Majd Taby[/eluser]
have you given CodeExtinguisher a try?
  • El Forum
    Guest
  •  
#3
06-06-2008, 04:24 AM

[eluser]Bramme[/eluser]
CodeExtinguisher is allready too much for me. Besides, a great deal of the backend is allready written, so I'd be throwing away lots of work. I was merely wondering how it's best to approach a login form...
  • El Forum
    Guest
  •  
#4
06-06-2008, 04:26 AM

[eluser]Tom Glover[/eluser]
Have a look a Redux auth by Popcorn, it is simple to integrate and very secure. There are also detailed examples.
  • El Forum
    Guest
  •  
#5
06-06-2008, 05:16 AM

[eluser]Gavin Blair[/eluser]
I've been using EzAuth - it's unobtrusive and fairly easy to use. It's basically a model file. You just have to put in your controller's constructor which functions are restricted, and use the _remap() function to check if the user is logged in before continuing to the function.
  • El Forum
    Guest
  •  
#6
06-06-2008, 05:24 AM

[eluser]Bramme[/eluser]
[quote author="WackyWebs.net" date="1212766005"]Have a look a Redux auth by Popcorn, it is simple to integrate and very secure. There are also detailed examples.[/quote]

Looks like it certainly can help me, but the thing is... I just don't understand how it works, probably because I'm all to new to CI and MVC in general. Looks to me like only the index logs you in, and you can access anything right off the bat, wether you're logged in or not.

edit: I've decided to write my own auth library with the very basic needs I have. Must say it's a daunting task. But it's really good to get to know all the common libraries and helpers, like databse, session, cookie, form etc etc.
  • El Forum
    Guest
  •  
#7
06-06-2008, 07:17 AM

[eluser]Bramme[/eluser]
little double post to bring this to attention (don't feel like starting up a new topic for every quirck).

Atm I got this in my master view file:

Code:
<?php
$this->load->view('global/adminHeader');
if($this->auth->loggedIn()) {
    $this->load->view($page); // page could be for example admin/guestbook/
} else {
    redirect('/admin/');
}
$this->load->view('global/footer');
?>
but this creates an infinite loop. Is there a way to send the page back to my login form (which is my index function) without creating this infinite loop?
Because if I simply load the login view, I get all sorts of errors because my login form uses validation etc that's not being set in the guestbook function.
  • El Forum
    Guest
  •  
#8
06-06-2008, 07:34 AM

[eluser]Pascal Kriete[/eluser]
Ahhh - logic in a view, get out the pitchforks!! Kidding.

Instead of protecting the view, I suggest you protect the proper controller.

Here's a simplified version of what I tend to use:
Code:
function restrict($logged_out = FALSE)
{
    if($logged_out)
    {
        if ($this->logged_in())
        {
            redirect('/member');
        }
    }
    else if( ! $this->logged_in())
    {
        $this->ci->session->set_flashdata('referrer', $this->ci->uri->uri_string());
        redirect('/member/login');
    }
}

So now in any function I can put $this->auth->restrict() to protect the function (or use it in a constructor for the whole controller). On my login form I use the TRUE flag to make sure it's only accessible to logged out users.

The referrer is used by the login, so that the user is redirected to the page they were trying to access after logging in.
  • El Forum
    Guest
  •  
#9
06-06-2008, 07:52 AM

[eluser]Bramme[/eluser]
Lemme try and get this straight, because I'm really not used to this.

You protect your function with the restrict thing. In your login function, you pass along true so it won't redirect and just show your login form. In all other functions, it checks if a user is logged in (i'm guessing that's what your logged_in() does?), if you are logged in, you get passed to /member. And then restrict() checks also if you're not logged in. If that's the case, you set a piece of flashdata with the referrer (smart move, I'll remember that) and then redirect to your login form (being /member/login/).

So for me, I would have to switch my redirects, seeing as my login form function is index.

Second question:
My guestbook function is smth like this:
Code:
function guestbook() {
//do lots of interesting stuff
$data['page'] = guestbook;
$this->load->view('admin_index', $data);
}
Where would I put that restrict function?

Man, when I struggle through this, I'm gonna write one long tutorial about it as a way to give back to the community for it's help.
  • El Forum
    Guest
  •  
#10
06-06-2008, 08:50 AM

[eluser]Pascal Kriete[/eluser]
Yes, all you should have to do is change the redirects to fit your setup and change the logged_in function to whatever you use (anything that returns true or false).

I usually put it at the very top of the function, so I can spot a protected function at first glance.

Example member controller (access is my authentication library, which I autoload):
Code:
class Member extends Controller
{
    /**
     * Constructor
     *
     * @access    public
     */
    function Member()
    {
        parent::Controller();
    }

    // --------------------------------------------------------------------
    
    /**
     * Controller Default Function
     *
     * @access    public
     */
    function index()
    {
        // Must be logged in to see this
        $this->access->restrict();

        $this->load->view('admin_home');
    }

    // --------------------------------------------------------------------
    
    /**
     * Login Function
     *
     * @access    public
     */
    function login()
    {
        // Only logged out users
        $this->access->restrict(TRUE);

        // Load required files
        $this->load->library('validation');
        $this->load->helper('form');

        $rules = array(
                'email'        =>    'trim|required',
                'password'    =>    'trim|required',
                'token'        =>    'check_login|required'
        );
        $this->validation->set_rules($rules);
        
        $fields = array(
                'email'        =>    'email',
                'password'    =>    'password'
        );
        $this->validation->set_fields($fields);
        
        if ($this->validation->run() == FALSE)
        {
            $data['title'] = 'Login';
            $data['token'] = generate_token();
            
            $this->session->keep_flashdata('referrer');
            $this->template->display($data, 'member/login');
        }
        else
        {
            $uri = $this->session->flashdata('referrer') ? $this->session->flashdata('referrer') : 'member';
            redirect($uri);
        }    
    }
}

Can't wait to see your tutorial Smile .




Theme © iAndrew 2016 - Forum software by © MyBB