Password protecting pages with CodeIgniter
Recently, I was working on a CodeIgniter site for a customer. They wanted to go live with the site’s domain, but they wanted to hide everything on the site behind a very simple password that only the site owners would know. That way only the development team and a few internal stakeholders would have access.
Adding this kind of password protection is pretty easy in CodeIgniter. All you have to do is add a quick check in your main controller’s constructor to see if a session variable has been set. For example:
class Welcome extends Controller { function __construct(){
parent::Controller();
session_start();
if ($_SESSION[’loggedin’] != true){
redirect(’protect/preview’,’refresh’);
}
}//end controller init
//rest of controller excised
}
Create a second controller called protect.php and set up a preview() function inside of it. The preview() function checks to see if a POST has been passed to it. If it has, simply check to see if the string from the password field matches the secret password. In this case, we are hard-coding the password right in the controller, but you could just as easily grab it from an XML file or database table.
If the password matches, set the session value for loggedin to true, then send them back to the original welcome controller. Otherwise, show the view.
Here’s the protect controller:
class Protect extends Controller {
function __construct(){
parent::Controller();
session_start();
}//end controller init function preview(){
if ($_POST){
if (strtolower($this->input->post('pw')) == "mypassword"){
$_SESSION['loggedin'] = true;
redirect('welcome/index','refresh');
}else{
$this->session->set_flashdata('warning',"Wrong Password!");
redirect('protect/preview','refresh');
}
}else{
$data['title'] = "No sneak peeks allowed!";
$this->load->vars($data);
$this->load->view('preview_template');
}
}
}//end class
Finally, create a very simple preview_template view to hold the form and display any warning messages that are stored in CodeIgniter 1.6’s new flashdata component:
<h1><?php echo $title;?></h1>
<p>You have to login to see the site! Sorry about that.
<b style='color:red'>
<?php echo $this->session->flashdata('warning');?>
</b></p> <?php
echo form_open('protect/preview');
echo form_password('pw');
echo form_submit('submit','get sneak peek');
?>
Source: blog.tripledogs.com/post/216
RSS/XML
July 8th, 2009 at 8:45 am
Thanks for the example code. Here are some notes and fixes I found helpful in implementing it on my own site:
1) Reminder that you need to load the url and session helpers:
function RawDB()
{
parent::Controller();
$this->load->library(’session’);
$this->load->helper(’url’);
…
2) Check for the loggedin flag by existence, not value (otherwise you need to add it to the cookie with a ‘false’ value. That makes it visible to and editable by the user, which is obviously risky for security)
# *** Check for access privileges
session_start();
if (!in_array(’loggedin’, $_SESSION)) {
redirect(’/protect/preview’,'refresh’);
}
December 8th, 2009 at 12:56 pm
You could indeed pass an array to the third parameter of the function call. However, I felt that it should be unnecessary and inconvenient, I wanted to be able to pass a minimal number of parameters without breakage. It has been recognised as a bug and fixed in the SVN repository.
March 24th, 2010 at 9:32 pm
uwymaxuqole…
Download mp3 with Gaiser …