使用身份验证保护CodeIgniter 2应用程序的正确方法是什么?
[英]What is proper way to secure CodeIgniter 2 application with authentication?
问题描述
I have Ion Auth properly installed and working on my server. 
我已经正确安装了Ion Auth并在我的服务器上运行。 I also have the default CodeIgniter 2 "news" tutorial working in the same CI installation. 我也有默认的CodeIgniter 2 “新闻”教程在同一个CI安装中工作。 I'm just playing around and curious about the proper way to use the authentication system to "enclose" or protect an entire application. 我只是在玩耍并且对使用身份验证系统“封闭”或保护整个应用程序的正确方法感到好奇。
For this question, let's use the "news" tutorial that comes with CI. 对于这个问题,让我们使用CI附带的“新闻”教程。
Inside the index() function in my news.php controller, I added conditional code to check if the user is logged in. If not, the user is just taken to the login screen. 在我的news.php控制器中的index()函数内,我添加了条件代码来检查用户是否已登录。如果没有,则用户刚刚进入登录屏幕。
public function index() {
$data['news'] = $this->news_model->get_news();
$data['title'] = 'News archive';
if ($this->ion_auth->logged_in()) {
$this->load->view('templates/header', $data);
$this->load->view('news/index', $data);
$this->load->view('templates/footer');
} else {
redirect('auth/login', 'refresh');
}
}
I can see this works, but the immediate downside is that every function within the controller would also have to be modified with similar conditional logic to protect all other page views. 我可以看到它的工作原理,但直接的缺点是控制器中的每个函数也必须使用类似的条件逻辑进行修改,以保护所有其他页面视图。 eg - check for login, display page, else go to login page... over and over. 例如 - 检查登录,显示页面,否则转到登录页面......一遍又一遍。
Is this the way it's supposed to be done? 这是应该做的吗?
What if an application is already built and working and one simply wants to protect it all? 如果一个应用程序已经构建并正在运行并且只是想保护它们怎么办? Adding conditional logic to check login status on every single page view within the controller seems unnecessarily verbose. 添加条件逻辑以检查控制器内每个页面视图的登录状态似乎不必要地冗长。
Can the whole application (all views) be protected in one place to minimize code modification? 可以在一个地方保护整个应用程序(所有视图)以最小化代码修改吗? If so, how? 如果是这样,怎么样?
3 个解决方案
解决方案1
10 已采纳 2012-11-30 02:23:19
To protect an entire controller, you can put the auth check into the __construct() call as eric.itzhak mentioned. 要保护整个控制器,您可以将auth检查放入__construct()调用中,如eric.itzhak所述。
To protect an entire application, you can extend the CI_Controller class, put the auth in the constructor of that file, and then finally extend by MY_Controller instead of CI_Controller in each of your controllers. 要保护整个应用程序,可以扩展CI_Controller类,将auth放在该文件的构造函数中,最后通过MY_Controller而不是CI_Controller在每个控制器中进行扩展。
Code examples: 代码示例:
/* File: application/core/MY_Controller.php */
class MY_Controller extends CI_Controller
{
function __construct()
{
parent::__construct();
if ( ! $this->ion_auth->logged_in())
{
redirect('auth/login');
}
}
}
And then, in each controller (note MY_Controller, not CI_Controller): 然后,在每个控制器中(注意MY_Controller,而不是CI_Controller):
class Controller_name extends MY_Controller
{
function __construct()
{
parent::__construct();
}
// rest of controller methods
}
These code examples assume you're autoloading (you might as well) the ion auth library. 这些代码示例假设您是自动加载(您可能也是)离子auth库。 If not, load the library in the MY_Controller file as necessary. 如果没有,请根据需要在MY_Controller文件中加载库。
There are two advantages to this method: 这种方法有两个优点:
- You only have to change the CI_Controller to MY_Controller in each controller you want to protect. 您只需要在要保护的每个控制器中将CI_Controller更改为MY_Controller。
- You don't have to protect everything which is helpful if you need to have an unprotected controller, ie the controller containing the auth methods (you won't be able to login if your auth controller requires you to be logged in :P -- there will be a redirect loop). 如果您需要一个不受保护的控制器,即包含auth方法的控制器(如果您的auth控制器要求您登录,则无法登录),您无需保护所有有用的内容:P -会有一个重定向循环)。
解决方案2
2 2012-12-01 01:52:58
Constructor is the way to go. 构造函数是要走的路。 Something else to think about -- its going to be more flexible if you call your own method instead of Ion Auth directly. 还有一些需要考虑的事情 - 如果你直接调用自己的方法而不是Ion Auth,它会变得更灵活。 typically part of the logged in process is getting unique values that are shown in the view, or an id used to keep track of the session, etc etc. Example: show the user name on the page. 通常,登录过程的一部分是获取视图中显示的唯一值,或用于跟踪会话等的ID等。示例:在页面上显示用户名。
So push the ion auth logged in check to a model, add a method for getting the user info or whatever you need. 因此,将登录的离子身份验证推送到模型,添加获取用户信息的方法或任何您需要的方法。 for each method return false if it doesn't work. 如果每个方法都不起作用,则返回false。 and then in your constructor check if it was returned 然后在你的构造函数中检查它是否被返回
function __construct() {
parent::__construct();
// load the model
$this->load->model( 'customer_model' );
// if logged in, return $this->customer, available to all methods in class
if(! $this->customer = $this->customer_model->verifyLogin() )
{ redirect('auth/login', 'refresh'); }
}
public function index()
{
// pass customer to data
$data['customer'] = $this->customer ;
// $customer->name will now be available in view
}
解决方案3
1 2012-11-29 23:09:27
I think the right logic would be to check the user status inside the __construct method as it will be done each time the controller is used. 我认为正确的逻辑是检查__construct方法中的用户状态,因为每次使用控制器时都会这样做。 it won't protect the entire ci application, just the methods in this controller, but i think this will do for your case. 它不会保护整个ci应用程序,只保护此控制器中的方法,但我认为这将适用于您的情况。
Try this : 尝试这个 :
public function __construct()
{
if (!$this->ion_auth->logged_in())
redirect('auth/login', 'refresh');
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.