HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Login system with session using CodeIgniter

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
withsystemloginusingsessioncodeigniter

Problem

I implemented a login system, with session, using CodeIgniter.
If the session doesn't exist, redirect to login page.
Please review, and let me know what can be done to make it better.

view (login.php)


 'loginForm', 'name' => 'loginForm', 'method' => 'post'])?>
    
      

      

       -->
      
    


verify.php (controller)

class Verify extends CI_Controller
{
public function __construct()
{
    parent::__construct();

    $this->load->helper(['form', 'url', 'security']);
    $this->load->library(['form_validation', 'encryption','session']);
    $this->load->model('User_Model');

}

public function index()
{
    $this->form_validation->set_rules('email','Email','required|trim|xss_clean');
    $this->form_validation->set_rules('password','Password','required|trim|xss_clean|callback_check_password');

    if ($this->form_validation->run() === FALSE) {
        $this->load->view('admin/login');

    } else {
        redirect(base_url('dashboard/dash'));

    }
}

/*login process*/

public function check_password($password)
{
    $email = $this->input->input_stream('email', TRUE);
    $password = hash('sha256', $password);

    $result = $this->User_Model->login($email,$password);
    if($result != null){
        foreach ($result as $row) {
            $sess_data = [
                'username' => $row->username,
                'user_id' => $row->id
            ];
            $this->session->set_userdata('logged_in', $sess_data);
        }
        return TRUE;
    } else {
        $this->form_validation->set_message('check_database', 'invalid username and password');
        return FALSE;
    }
}

public function logout($page = 'login')
{
    $this->session->unset_userdata('logged_in');
    session_destroy();
    redirect(base_url('login'),'refresh');
}
}


Dashboard.php (dashboard controller)

```
class Dashboard extends Check_Logged
{
public function __construct()
{
parent::__construct();

$this->load->helper(['form', 'url']);
$this-

Solution


  • Validating emails is hard, and it's not a good idea to do it on your own with a regex. Here are a couple of valid email addresses you would not allow (there are a lot more): "foo"@bar.com, foo+spam@bar.com, !#$%&'*+-/=?^_{|}~@foo.com. And even though it's so strict, it still lets through invalid addresses such as foo@example.com] (because the regex is actually broken).



  • Use type="email" and let the browser handle the validation for you.



  • Don't use sha256, it's too fast. Use bcrypt or similar instead.



  • I wouldn't call xss_clean on user input. XSS should be prevented when printing data, not when receiving it. This is especially important for passwords, as xss_clean will weaken some passwords - possibly considerably.



  • Your controllers aren't named all that well. What does verify verify? and does it only verify? Check_Logged could also be better named. Maybe BaseAdminController or something.



  • all your methods are public, even though quite a lot of them could be private, making your classes more complicated than they need to be.



  • Having to check if the user is logged in in each of the admin controller methods seems annoying, and could easily be forgotten. I would handle that case in the base controller Check_Logged, and then show the login page.



  • You handle the not-logged-in case differently in different methods, without any apparent reason. Sometimes it's $this->load->view('admin/login');, sometimes redirect('login');, or redirect(base_url('login'),'refresh');. If there is a reason for the difference, I would comment on it. Otherwise, handle the same thing the same way to avoid confusion.

Context

StackExchange Code Review Q#116089, answer score: 3

Revisions (0)

No revisions yet.