I am looking for some advice on how to create a secure authentication/authorization model for my application. I am writing this for CakePHP but would like to be able to take this model to any application. If I could get opinions on my model and how to make it better, I would really appreciate it. This is what I have:
Each view that I want to protect has the following code it its controller:
$getUser= $this->Session->read('get_logged_user');
if($getUser == null){
//no credentials, redirect
$this->render('../Elements/User/login');
}else{
if($getUser->isAuthenticated==false){
//not authenticated
$this->render('../Elements/User/login');
}else{
//its ok, show the page. if needs to check roles, iterate of the roles array
}
}
Essentially, I check to see if the correct session is available. If its not, they never logged in so redirect to the login page. If so, check authorization. My session is a class made up of the following: First/last name, user name, an array of roles, and isAuthenticated boolean. When the user logs in to my app, this object is created and put into session. The class authenticates against a database and pulls back all essential info on the user (name, roles, etc). The roles can be further used by the app to determine what the user can and cannot see and interact with. When the user clicks the "log out" button, this session object get destroyed.
Is this method secure? Should I also be using tokens or something? If more code is needed, let me know and I can post it. I know cakePhp has a security plugin but I would rather create my own from scratch.
Thanks!