将特定页面限制为仅在 Codeigniter 中登录用户的最佳实践是什么? [英] What is the best practice for restricting specific pages to logged in users only in Codeigniter?
问题描述
我已经为我的网站创建了一个注册和登录,并且所有的验证都适用于注册和登录.用户提供有效凭据后,他/她将通过欢迎消息登录会员区,上面写着 Hello first_name last_name.. 基本上是从数据库中获取名字和姓氏.
I have created a sign-up and login for my website and all validation works fine for both sign-up and login. After user provides valid credentials he/she is logged into the member area with a welcome message that says Hello first_name last_name.. basically first name and last name is grabbed from database.
我想做的任何方式都是将会员区限制为仅登录用户.其他任何人都将被重定向到主页或登录页面,或者我决定将他们重定向到的任何地方.
Any way I want to do is restrict the member area to only logged in users. Anyone else will be redirected to homepage or login page or where ever I decide they should be redirected to.
我使用了 ci_sessions,它们存储在我的数据库的ci_sessions"表中.Session_id、ip_address、user_agent、last_activity 和 user_data 是列.所以我想这是某种形式的安全,而不是将 cookie 单独存储在用户浏览器上.
I used ci_sessions which are stored in a table "ci_sessions" in my database. Session_id, ip_address, user_agent, last_activity and user_data are the columns. So I guess that's some form of security rather than have a cookie stored on the users browser alone there is more.
无论如何现在阻止除登录用户之外的任何其他人访问我的网站会员区,例如http://example.com/member_area 我在成员区的控制器中使用了一个简单的 if 语句:
Anyway right now to stop anyone else apart from logged in users to access my website member area e.g. http://example.com/member_area I use a simple if statement in my controller for the member area:
if (! $this->session->userdata('first_name'))
{
redirect('login');
}
这会检查尝试访问会员区页面的人是否在我的 ci_sessions 表中的 user_data 中存储了某种数据,例如 first_name,如果是,则允许他们访问该页面,这意味着他们必须已登录并且仍然有一个活动会话.
This checks to see whether the person who is attempting to access the member area page has some kind of data stored in user_data in my ci_sessions table such as a first_name and if so allows them to access the page meaning they must have logged in and still have an active session.
如果在数据库中未找到任何内容,它们将被重定向到网站登录页面.我想知道的是是否有更好的方法来做到这一点?我现在这样做的方式是否足够安全?
If nothing is found in the database they are redirected to the websites login page. What I want to know is if there is a better way of doing this? Is the way I'm doing it now secure enough?
以下是我的模型代码:
<?php
class Current_User {
private static $user;
private function __construct() {}
public static function user() {
if(!isset(self::$user)) {
$CI =& get_instance();
$CI->load->library('session');
if (!$user_id = $CI->session->userdata('user_id')) {
return FALSE;
}
if (!$u = Doctrine::getTable('User')->find($user_id)) {
return FALSE;
}
self::$user = $u;
}
return self::$user;
}
public static function login($email, $password) {
// get User object by email
if ($u = Doctrine::getTable('User')->findOneByEmail($email)) {
// to ge the mutated version of the input password
$u_input = new User();
$u_input->password = $password;
// password match
if ($u->password == $u_input->password) {
$CI =& get_instance();
$CI->load->library('session');
$CI->session->set_userdata('user_id',$u->id);
$CI->session->set_userdata('username',$u->username);
$CI->session->set_userdata('first_name',$u->first_name);
$CI->session->set_userdata('last_name',$u->last_name);
self::$user = $u;
return TRUE;
}
unset($u_input);
}
// login failed
return FALSE;
}
public function __clone() {
trigger_error('No duplicates allowed.', E_USER_ERROR);
}
}
感谢您的所有建议.
更新
如何将它添加到我的模型中
How about adding this to my model
$CI->session->set_userdata('logged_in', 'TRUE');
这基本上将logged_in"添加到数据库中会话中的用户数据中,值为TRUE".在我的会员区"控制器中,我编辑了 if 语句来说明这一点:
This basically adds "logged_in" to my user data in session in DB with the value "TRUE". in my controller for my "member area" I have edited the if statement to say this:
if (! $this->session->userdata('logged_in')==TRUE)
{
redirect('login');
}
如果该项目不存在如果用户未登录则不存在",则将返回 FALSE 并将用户重定向到登录页面
If the item doesn't exist "which it won't if a user isn't logged in" then FALSE will be returned and user will be redirected to login page
你怎么看?
或者我什至可以制作 TRUE 一些秘密,例如 dsb453rerfksdhbdsks322.一些随机的东西.
or I could even make TRUE something secret like dsb453rerfksdhbdsks322 for example. Something random.
推荐答案
你已经一针见血,但有一个稍微更有效的方法来做到这一点.
You've hit the nail on the head, but there's a slightly more efficient way to do it.
以一种方式扩展基本控制器(我相信最初由 Phil Sturgeon 概述)但我将在此处进行总结:
Extend the base controllers, one way (i believe originally outlined by Phil Sturgeon) but I'll summarise here:
请参阅这篇文章 一篇非常深入的文章.
See this article for a very indepth write up.
但本质上:
<?php
class MY_Controller extends Controller
{
function __construct()
{
parent::Controller();
if (! $this->session->userdata('first_name'))
{
redirect('login'); // the user is not logged in, redirect them!
}
}
}
所以现在如果你想限制访问,只需:
so now if you want to restrict access, simply:
class Secret_page extends MY_Controller {
// your logged in specific controller code
}
并且扩展控制器会自动检查用户是否在构造函数中登录.
and the extended controller will automatically check if the user is logged in in the constructor.
至于如何,我可能会将 user_id 设置为检查其是否设置的值,或者可能是用户组" - 然后您可以获得系统中的用户权限和不同级别的访问权限.
as for how, I'd probably set the user_id as the value to check if its set, or perhaps a user "group" - then you can get user permissions and varying levels of access in your system.
希望这会有所帮助.
编辑
将此添加到 application/config.php
Add this to application/config.php
/*
| -------------------------------------------------------------------
| Native Auto-load
| -------------------------------------------------------------------
|
| Nothing to do with cnfig/autoload.php, this allows PHP autoload to work
| for base controllers and some third-party libraries.
|
*/
function __autoload($class)
{
if(strpos($class, 'CI_') !== 0)
{
@include_once( APPPATH . 'core/'. $class . EXT );
}
}
当您使用 CI 2.0 时,您需要将 MY_Controllers 放置在 Application/CORE 而不是 Libraries 中.
As you are using CI 2.0, you will need to place the MY_Controllers inside Application/CORE rather than Libraries.
我的应用程序/核心看起来有点像:
My Application/Core Looks a little like:
Admin_Controller.php
MY_Controller.php
Public_Controller.php
这篇关于将特定页面限制为仅在 Codeigniter 中登录用户的最佳实践是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!