I have created a sign-up and login for my website and all validation works fine for both sign-up and login. After user provides valid credentials he/she is logged into the member area with a welcome message that says Hello first_name last_name.. basically first name and last name is grabbed from database.
Any way I want to do is restrict the member area to only logged in users. Anyone else will be redirected to homepage or login page or where ever I decide they should be redirected to.
I used ci_sessions which are stored in a table "ci_sessions" in my database. Session_id, ip_address, user_agent, last_activity and user_data are the columns. So I guess that's some form of security rather than have a cookie stored on the users browser alone there is more.
Anyway right now to stop anyone else apart from logged in users to access my website member area e.g. http://example.com/member_area I use a simple if statement in my controller for the member area:
if (! $this->session->userdata('first_name'))
{
redirect('login');
}
This checks to see whether the person who is attempting to access the member area page has some kind of data stored in user_data in my ci_sessions table such as a first_name and if so allows them to access the page meaning they must have logged in and still have an active session.
If nothing is found in the database they are redirected to the websites login page. What I want to know is if there is a better way of doing this? Is the way I'm doing it now secure enough?
Below is my model code:
<?php
class Current_User {
private static $user;
private function __construct() {}
public static function user() {
if(!isset(self::$user)) {
$CI =& get_instance();
$CI->load->library('session');
if (!$user_id = $CI->session->userdata('user_id')) {
return FALSE;
}
if (!$u = Doctrine::getTable('User')->find($user_id)) {
return FALSE;
}
self::$user = $u;
}
return self::$user;
}
public static function login($email, $password) {
// get User object by email
if ($u = Doctrine::getTable('User')->findOneByEmail($email)) {
// to ge the mutated version of the input password
$u_input = new User();
$u_input->password = $password;
// password match
if ($u->password == $u_input->password) {
$CI =& get_instance();
$CI->load->library('session');
$CI->session->set_userdata('user_id',$u->id);
$CI->session->set_userdata('username',$u->username);
$CI->session->set_userdata('first_name',$u->first_name);
$CI->session->set_userdata('last_name',$u->last_name);
self::$user = $u;
return TRUE;
}
unset($u_input);
}
// login failed
return FALSE;
}
public function __clone() {
trigger_error('No duplicates allowed.', E_USER_ERROR);
}
}
All your advice is appreciated.
UPDATE
How about adding this to my model
$CI->session->set_userdata('logged_in', 'TRUE');
This basically adds "logged_in" to my user data in session in DB with the value "TRUE". in my controller for my "member area" I have edited the if statement to say this:
if (! $this->session->userdata('logged_in')==TRUE)
{
redirect('login');
}
If the item doesn't exist "which it won't if a user isn't logged in" then FALSE will be returned and user will be redirected to login page
What do you think?
or I could even make TRUE something secret like dsb453rerfksdhbdsks322 for example. Something random.
