I am writing a web application using PHP. I want to use the MVC pattern for this, and decided to go with CodeIgniter. My application will have some pages which will require authentication, and some pages won't. I want to design this in a very generic way, so that there should be no code duplication. Can any one point to some good "design/class structure" for this?
Write a custom library that you can autoload in your code igniter app on every page view. It should have functions that:
Authenticate the user ie. check if a user is logged in or not
Log you in ie. set a session variable or something
Log you out
Then in your controller classes you can do a call to the authentication function in the constructor then depending on the outcome continue as normal or redirect them to a login screen with an access denied message.
Do a search on the code igniter wiki for 'authentication' and there are a number of results that may help: http://codeigniter.com/wiki/
"Ion Auth" is lean, well-programmed, somewhat widely used and is actively maintained.
http://github.com/benedmunds/CodeIgniter-Ion-Auth
If by "some pages" you mean some controllers (the gateway to your views), then you may want to investigate controller inheritance. Extend the default CodeIgniter controller with your own and put an authentication check in the constructor (check the session for a logged in flag or something and if not logged in then redirect to login page). Then, all controllers that require authentication will need to extend your new parent controller. That's it.
Head on over to the CodeIgniter forums and search for some different ways to extend the controller. Here is one http://codeigniter.com/forums/viewthread/89768/#452890
May be you can use CL_AUTH library for CI. I've used it and it works good. You can find it here http://www.jasonashdown.co.uk/cl_auth_doc/
I was looking into the same thing recently, and I found a CodeIgniter fork called Kohana that includes a nice authentication module. If you are set on CI, maybe adapting Kohana's auth module backwards to CI would save you some time? If you have just started out on your project and PHP5 is OK to use, consider switching over; they are very similar frameworks.
Visit GitHub and search for Codeigniter Auth or Authentication, or check the CodeIgniter Wiki, you'll find many libraries with different features.. explore them and choose the one you need! But be careful, many are for CI 2, and you have to ucfirst the classes to use with CI 3, otherwise they don't work at all.
Use flexi auth a modified version of the popular Ion Auth library. It's more advanced and do all the job out-of-the-box.
flexi auth is a free open source user authentication/login library for use with the CodeIgniter 2.0+ framework.
I know it's too late but I hope someone else will find it helpful. Cheers!
Related
I know there is already an existing question identical to this (How do I pass session to ckfinder in codeigniter 3?) but it does not help at all. There's only 1 answer and it does not work for me and very little explanation is provided.
I have a CI site in which a user can log in and edit some stuff using CKEditor. I've installed CKFinder as well, but I'm unable to pass any session data to the CKFinder config file in order to authenticate the login for security. The global $_SESSION variable just returns Array() 1 and doesn't contain any of the session data (and yes, I'm using session_start();).
Using the other post's answer as a foundation, I tried retrieving data from $_COOKIE but there didn't seem to be anything particularly useful. There is no ci_session in the cookie data. The closest thing is PHPSESSID but I couldn't get anything useful from that.
Any help would be appreciated it. I've spent too long on this project already. Thanks!
You should not be altering a config file by writing to it for each user. Since this is a commercial application I cannot view the docs for it, but this might help.
Set the link on the user page to CKfinder to only show if the user is logged in.
Set the controller CKfinder links to within CI to detect if the user is logged in or not and allowed (ie authenticated and authorized), otherwise reject the request.
Alternatively create a CI library for CKfinder that runs it from within CI.
Knowing CKeditor quite well, I am sure CKfinder will be documented quite well to integrate with frameworks and existing systems quite easily. CKeditor is a beautiful script (albeit with limitations) so I would presume the same quality applies to CKfinder.
And yes, CI session data is not available outside CI. Third party apps like this can be integrated with CI using standard includes directly or with a library etc within the CI framework. In fact one of the great things about CI is the ability to write small libraries that can easily include almost any third party app with relative ease of implementation.
This link will help:
Codeigniter 3 - Access Session from Outside Codeigniter Installation
Without further code samples or a more exact example of the problem, I am not really sure how I can help more than that. I hope it might of been of some help but it probably was not. Sorry.
I'm using https://github.com/jonseg/crud-admin-generator to generate a simple back-end for database operations. However, I want to make it so that only an admin user can use the page.
I can't seem to find a good tutorial that is compatible with this framework. I've looked at Symfony and Silex tutorials, but neither one seem to be 'compatible'. This framework doesn't seem to have those files..... Is there a tutorial / something that can help me get started with this? Is there an easy/safe way to lock down some pages in PHP that is compatible with this framework?
there is a property in the firewall, named "security.access_rules"
that add the path and the role and that'll make it so you can lock down certain routes.
I'm doing something like this in my controller:
$myapp->$class->$function($params)
The vars are being extracted from the request url i.e. /class/function/field1/val1/field2/val2/.../fieldN/valN
Through the website template only certain functions are linked but clearly anyone could view the source code and try to access sensitive functions which aren't supposed to be visible.
So my question is, how can I hide some functions while allowing others to be accessed through the URL?
I want to continue using this approach if possible $myapp->$class->$function($params)
At the same time it shoudn't work for some functions in the class i.e. $myapp->Page->delPage(...) should return an error
While other functions should work i.e. $myapp->Guestbook->createPost(...)
I haven't implemented a user login yet but for example, Guestbook->createPost(...) would check that the user is logged in. But there are too many classes and functions so I don't want to have to write out a separate request page for each one, if possible.
You could have a look at how the popular PHP frameworks like Zend or Symfony handle this standard problem.
They have though a lot about it already, and their implementation is tested by thousands of users.
Both Zend and Symfony components should be usable standalone.
Zend Framework 2 Router: http://framework.zend.com/manual/2.0/en/modules/zend.mvc.routing.html
Symfony 2 Router: http://symfony.com/doc/current/book/routing.html
I am new to programming and I am making a login/pass authentication system for a project in Code Igniter. I can simply secure pages by setting session and then giving access based on whether the session is set or not ... Before I jump into it ... I see many auth libraries around .. like tank auth, ion auth and so on.
My question is, why would anyone use Auth libraries? If my app is simple which means there will be just one kind of user with same permissions, do I still need Auth lib like Ion Auth?
Existing Auth libraries usually are tested by users and their bugs and security flaws are, often corrected and the code is mantained.
An own implementation of it, disregarding its simplicity, is allways a test on what you know and what you can do about handling security.
There are good CI Auth libraries, but if you're going towards your own be sure to make it as safe as possible, assuming every user input is malicious... and also, go on and take a look at this article
I'm using Zend Framework in a project, and I'm creating a controller only for authentication.
In this project we'll accept that a user signs up through a account of other sites like facebook, twitter, myspace, etc.. For this we will be using OAuth. But I'm having a doubt where I should put the logic for each OAuth site related authentication? Only the facebook, for example, occupied 50 lines of code in my controller, and in this way my controllers will not be thin...
I wonder where I should put this.
Create an Zend_Auth adapter for each one of the sites, create a service only to this, what is the best way?
And sorry the poor english. :)
JF Austin has a fairly generic OAuth authentication adapter implementation that uses a Zend_Oauth_Consumer. Creating specific subclasses of this for Twitter, Facebook, etc seems to be straightforward from there. He even seems to have a Twitter adapter already. Use of the adapter is described in his blog post about it.
Alternatively, note this one by Lloyd Watkin.
Upshot: all the OAuth logic is buried inside these adapters. Your controllers can then instantiate this authentication adapter, feed it to Zend_Auth::authenticate($adapter), and then take action based upon the returned result, keeping the controller focused on the higher-level app wiring.
Your OAuth logic should live inside models as should all your buisiness logic. Your controller should be left to do is control the program flow and setup view variables for use in your view script.
Kind regards
Garry