I am using Code Igniter and I am implementing a remember user functionality.
Basically, from another stack overflow post, I implemented this the right way where I generate a random string for that user, save it in the database AND in a cookie. On site load, I check for that cookie, if that cookie is found I check it in the database. If it is found in the database then recrease the session for that user.
The problem I am having is when I load the site. I am getting the value of the cookie and I am also getting the correct response from the AJAX call. However, I have to click on a link in order for the session to get recreated (such as menu is displayed for logged in user and so on).
I am thinking that I am recreating the session AFTER the index method of the main controller is called. How can I get around this in Code Igniter? Where can I put this code which preferably gets run first thing on every page? As for instance I also want to recreate the session if the user enters the site's contact us page instead of the home page.
Many thanks in advance.
CodeIgniter allows the developer to create hooks which are called at different moments before the controller method is called.
Here is a short description of how to use hooks:
http://codeigniter.com/user_guide/general/hooks.html
If you want to access the session, I would recommend to use a post_controller_constructor hook, which is called after the controller constructor is executed, but before the action method is called. ( access the CI session in a pre controller codeigniter hook )
Related
I am using sessions to check if the user is logged in. In my project, there are some pages, where session check is not required i.e user can access it without logging in. How I disable session check on selective pages? Instead of writing say session_check on every page that needs session, i want to know if there is a way to implement no_session_check() on selected pages. As the number of pages that require session check are more than pages that do not work. I am using codeigniter. Thanks
First you created the session checking function in library file .. if u want session on that controller just call that library function..
Refer this link:
I am using PHP native session instead of CI session library.CI version ci-2.2.
When i login to admin, it sets the session.I can go to any next page which requires session.But when when i go to another page after that the session is lost.It works fine locally and on many other servers for which I use CI.
As an example.
I login to admin.It takes me to dashboard.Then i go to some listings page.It works fine.Thereafter I click on say some add new page , session is lost.
if any of your controller extends the admin controller make sure the session check is done on the admin controller itself.
so that any controller that extend it will inherit the check.
Hope this helps.
I'm working on this project in Codeigniter and i created login and register script but I don't know how to validate user on every page.
When user logs in what data to store in session (Ci session user_data), so i can compare it to database on every page to se if the session is valid?
I'm using codeigniter's session class and I'm storing the values automatically in the database. Please help me I'm stuck here...
My session is handled like this :
1. When ever any user reaches my webpage he gets unique hashed (md5) session id that is checked when ever a page is loaded. If it exists do nothing if it doesn't generate a new one. It changes every 5 minutes.
2. When user logs in what data to pass to so i can compare it to the database later on ( on every page load)
I don't know if storing only the 'is_logged' = 1 cookie is safe. I want to check cookies on every server request.
Upon succesful login, you create a
$this->session->set_userdata(array('authorized' => true));
You can then make an auth library, or a model method, whatever suits you that just checks if this session data exists.
function is_logged()
{
return (bool)$this->session->userdata('authorized');
}
if FALSE, user is not logged, if TRUE it is. You can call this function on every controller's method you need to place behind authentication, or in controllr's constructor if you need it for all methods (ex. an admin panel)
have a look, for ex., on how Ion Auth, one of the mainstream Auth Libraries in CI, handles the thing (uses the logged_in() method which does the same as in my example code. Keep in mind that sessions are encrypted, and if stored in database security is even higher);
https://github.com/benedmunds/CodeIgniter-Ion-Auth/blob/2/libraries/Ion_auth.php
Sessions are stored on the server so no validation is required. You only need to validate what you put in the session.
Sessions are authenticated by the user supplying a session_id cookie (PHPSESSID).
Cookies on the other do require validation, but cookies shouldn't be used to store critical data so it's a bit moot.
You should have write a function in helper like session_helper.And in constructor of your class call this helper method.If your user is logged in correctly then it will continue,other wise it will redirect to log in page.Your Helper should be like this
function session_set()
{
$ch=&get_instance();
if($ch->session->userdata('your_session_id')=='')
{
redirect('your_login_page');
}
and in controller you should check like this(constructor)
session_set();
Hope this will work for you
I've a Code Igniter project using database backed sessions. The web application is password protected, meaning that I have an abstract controller checking if the user is logged in before I allow him to see any pages, apart from the login form.
While I had no problems implementing this, I'm having some difficulty understanding how to make the application redirect the user to the page he wanted to see if he need to login first.
How it goes: the user is logged out and types in a URL. The application detects he's not logged in so send him to the login page and creates a row in the ci_session table. At the same time I store the url the user entered in the session object using either flashdata or userdata. My problem is that once the user logs in, the application will create a new row in the database, meaning a new session, completely ignoring the values I stored previously.
Shouldn't it be one row per session?
The CI URL Helper has a redirect function that you can use. http://codeigniter.com/user_guide/helpers/url_helper.html
Does a "header redirect" to the local URI specified. Just like other functions in this helper, this one is designed to redirect to a local URL within your site. You will not specify the full site URL, but rather simply the URI segments to the controller you want to direct to. The function will build the URL based on your config file values.
The optional second parameter allows you to choose between the "location" method (default) or the "refresh" method. Location is faster, but on Windows servers it can sometimes be a problem. The optional third parameter allows you to send a specific HTTP Response Code - this could be used for example to create 301 redirects for search engine purposes. The default Response Code is 302. The third parameter is only available with 'location' redirects, and not 'refresh'. Examples:
if ($logged_in == FALSE)
{
redirect('/login/form/', 'refresh');
}
// with 301 redirect
redirect('/article/13', 'location', 301);
I think you're misunderstanding how sessions works between a browser and your web application. When a user opens your login page, they are assigned a unique session ID which codeigniter keeps track of. Unless your session gets expired, either forcefully by logging out or due to your own session expire settings, codeigniter should only be writing 1 row per unique session in your database. Make sure you have your sess_expiration variable in config.php set to something realistic.
I don't see how removing the underscore from your cookie name could have fixed this, as the name has nothing to do with how sessions work in general.
You can user something like this.
When the user tries to access a page like
http://test.com/userpage.php
If he is not logged in, redirect him to
http://test.com/login.php?redirectpage=userpage.php
(This redirect will be done by userpage.php after checking the login status from the cookie or the session.)
The login page has the value "redirectpage" and once the user logs in at the login page, redirect him to the page he was previously trying to visit.
You will have to check the user login status in all the pages that you need the user to be logged in.
Solved it.
My problem was not how to redirect or how to store data. My problem was the application creating two sessions per request.
I changed the name of my cookie to something that didn't include underscores and voila, fixed. One session per request and everything works as it should.
What's the best practice for making sure that certain ajax calls to certain pages are only accepted from authenticated users?
For example:
Let's say that I have a main page called blog.php (I know, creativity abounds). Let's also say that there is a page called delete.php which looks for the parameter post_id and then deletes some entry from a database.
In this very contrived example, there's some mechanism on blog.php which sends a request via ajax to delete.php to delete an entry.
Now this mechanism is only going to be available to authenticated users on blog.php. But what's to stop someone from just calling delete.php with a bunch of random numbers and deleting everything in site?
I did a quick test where I set a session variable in blog.php and then did an ajax call to delete.php to return if the session variable was set or not (it wasn't).
What's the accepted way to handle this sort of thing?
OK. I must have been crazy the first time I tried this.
I just did another test like the one I described above and it worked perfectly.
You were correct in trying to use session variables. Once your user authenticates, you should store that information in their session so that each subsequent page view will see that. Make sure you are calling session_start() on both pages (blog.php and delete.php) before accessing $_SESSION. Also make sure you have cookies enabled -- and if not, you should pass an additional parameter in the query string, usually PHPSESSID=<session_id()>.
It is not recommended that you rely on sessions for authentication without taking additional actions.
Read more on.