patternphpMinor
Login system with session using CodeIgniter
Viewed 0 times
withsystemloginusingsessioncodeigniter
Problem
I implemented a login system, with session, using CodeIgniter.
If the session doesn't exist, redirect to login page.
Please review, and let me know what can be done to make it better.
view (login.php)
verify.php (controller)
Dashboard.php (dashboard controller)
```
class Dashboard extends Check_Logged
{
public function __construct()
{
parent::__construct();
$this->load->helper(['form', 'url']);
$this-
If the session doesn't exist, redirect to login page.
Please review, and let me know what can be done to make it better.
view (login.php)
'loginForm', 'name' => 'loginForm', 'method' => 'post'])?>
-->
verify.php (controller)
class Verify extends CI_Controller
{
public function __construct()
{
parent::__construct();
$this->load->helper(['form', 'url', 'security']);
$this->load->library(['form_validation', 'encryption','session']);
$this->load->model('User_Model');
}
public function index()
{
$this->form_validation->set_rules('email','Email','required|trim|xss_clean');
$this->form_validation->set_rules('password','Password','required|trim|xss_clean|callback_check_password');
if ($this->form_validation->run() === FALSE) {
$this->load->view('admin/login');
} else {
redirect(base_url('dashboard/dash'));
}
}
/*login process*/
public function check_password($password)
{
$email = $this->input->input_stream('email', TRUE);
$password = hash('sha256', $password);
$result = $this->User_Model->login($email,$password);
if($result != null){
foreach ($result as $row) {
$sess_data = [
'username' => $row->username,
'user_id' => $row->id
];
$this->session->set_userdata('logged_in', $sess_data);
}
return TRUE;
} else {
$this->form_validation->set_message('check_database', 'invalid username and password');
return FALSE;
}
}
public function logout($page = 'login')
{
$this->session->unset_userdata('logged_in');
session_destroy();
redirect(base_url('login'),'refresh');
}
}Dashboard.php (dashboard controller)
```
class Dashboard extends Check_Logged
{
public function __construct()
{
parent::__construct();
$this->load->helper(['form', 'url']);
$this-
Solution
- Validating emails is hard, and it's not a good idea to do it on your own with a regex. Here are a couple of valid email addresses you would not allow (there are a lot more):
"foo"@bar.com,foo+spam@bar.com,!#$%&'*+-/=?^_{|}~@foo.com. And even though it's so strict, it still lets through invalid addresses such asfoo@example.com](because the regex is actually broken).
- Use
type="email"and let the browser handle the validation for you.
- Don't use sha256, it's too fast. Use bcrypt or similar instead.
- I wouldn't call
xss_cleanon user input. XSS should be prevented when printing data, not when receiving it. This is especially important for passwords, asxss_cleanwill weaken some passwords - possibly considerably.
- Your controllers aren't named all that well. What does
verifyverify? and does it only verify?Check_Loggedcould also be better named. MaybeBaseAdminControlleror something.
- all your methods are public, even though quite a lot of them could be private, making your classes more complicated than they need to be.
- Having to check if the user is logged in in each of the admin controller methods seems annoying, and could easily be forgotten. I would handle that case in the base controller
Check_Logged, and then show the login page.
- You handle the not-logged-in case differently in different methods, without any apparent reason. Sometimes it's
$this->load->view('admin/login');, sometimesredirect('login');, orredirect(base_url('login'),'refresh');. If there is a reason for the difference, I would comment on it. Otherwise, handle the same thing the same way to avoid confusion.
Context
StackExchange Code Review Q#116089, answer score: 3
Revisions (0)
No revisions yet.