Show:

Simple password protected administration with CodeIgniter

March 8, 2009 Programming

Last week I’ve taken a break from Ruby/Rails development and I’ve worked on a site that uses PHP with CodeIgniter framework.

Despite the fact that CodeIgniter has a very nice documentation I found it very difficult to find a way to do some simple things, that are more or less obvious, but which can be a problem for someone who hasn’t worked with CodeIgniter before. (for example, I found myself more than once looking at CI code to figure out how it works, so I can use it)

I had to make a simple password protected administration section. One admin user, one password, no user registrations, no roles – simple as possible. As I was using CI framework I decided to find a plugin/library that does this. Unfortunately most CI authorization plugins/libraries are very bloated and too complicated for this simple task. I tried to find some examples how to handle this simple use case, but nothing came up.

Finally I’ve found a small authorization plugin: Erkanaauth.

First you need a user table (must be named ‘users’) which only needs to have an id field and all other fields are optional because you will manually specify what other columns will be used. I opted for simple id, username, password:

CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL auto_increment,
  `username` varchar(255) NOT NULL,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY  (`id`)
);

We will need to “install” ErkanaAuth library. You should download it and unzip it.

Next we should create an Admin controller which will handle all administration tasks (remember I’m making simple admin here, so I don’t need to protect multiple controllers).

<?php
class Admin extends Controller {
  function Admin()
  {
    parent::Controller();
    $this->load->database();
    $this->load->helper(array('url', 'form', 'date'));
    $this->load->library(array('form_validation', 'upload', 'Erkanaauth', 'session'));
  }
}
?>

Constructor just connects to database and loads some standard helpers and libraries (including Erkanaauth) that are usually used.

Next step is to add a function which we can call to verify if user is logged in:

private
  function authorize()
  {
	  if($this->erkanaauth->try_session_login())
	      return true;

	  redirect('admin/login');
  }

Function uses Erkanaauth’s try\_session\_login which checks if user is already logged in (checks session for user id). If user isn’t logged in we’ll redirect him to our login page:

function login()
  {
    $username = $this->input->post('username', true);
    $password = $this->input->post('password', true);
    if($username || $password)
    {
      if($this->erkanaauth->try_login(array('username' => $username, 'password' => $password)))
        redirect('admin');
    }

    $this->load->view('admin_login');
  }

  function logout()
  {
    $this->erkanaauth->logout();
    redirect('admin');
  }

Key command here is try_login in login function which tries to find an entry in users table that fulfills given conditions. If you have different users table than the one I made this is the place where you should enter your column names.

Logout function is has just a simple call to Erkana’s logout function. Nothing special there.

Of course we also need a login page template which should contain a simple user/pass form. It’s pretty basic and you can see it if you get the complete code (see at the end).

Finally we have everything needed to protect any page in Admin controller. In order to protect a page all you need to do is to add a call to authorize function to any function you want to protect. Like this:

function index()
  {
    $this->authorize();
    echo "Do something useful... For now just display logout link: ";
    echo anchor('admin/logout', "Logout");
  }

That’s it. Now you have fully functional administration section which requires username and password authorization.

You can get the complete sample application from [Github repository][4]. Feel free to expand on it or use it any way you like.