0

i have a login process where the user can view his dashboard after login.

The code in controller:

$adminid = $this->am->login_admin($email, $password); 
if ($adminid) {
    $admin_data = array(
        'adminid' => $adminid,
        'email' => $email,
        'logged_in' => true,
        'loggedin_time' => time()
    );
    $this->session->set_userdata($admin_data);
    $this->session->set_flashdata('login_success', 'You are logged in');

    redirect('Admin_dashboard/dashboard/' . $adminid);
} else {
    $this->session->set_flashdata('login_failed', 'Invalid login!!');
    redirect('admin/index');
}

After successful login the user is getting redirected to the following url

localhost/project/Admin_dashboard/dashboard/1

The issue is that if the user manually changes the url to something like this-

localhost/project/Admin_dashboard/dashboard/2

he is able to access the data of user whose id is 2 without login

To solve the issue i tried using the following codition in the view 

<?php if($this->session->userdata('logged_in')): ?>
<? endif; ?>

However the 2nd url is still accessible

After login the user gets redirected to dashboard that also contains few other pages such as profile page, payment page etc which contains data that is only related to him.

I want that after login he should be able to see all his pages but not anyone else data by changing the url

Sneha
  • 3
  • 4
  • if($this->session->userdata('logged_in') && $this->session->userdata('adminid')==$url_user_id ): – Rahul Jun 19 '17 at 07:00
  • @user7234862 can you please explain the use of url_user_id – Sneha Jun 19 '17 at 07:05
  • it should be the id of user profile. like 2 for localhost/project/Admin_dashboard/dashboard/2 this – Rahul Jun 19 '17 at 07:07
  • simply check the if condition in controller Admin_dashboard/dashboard like if($this->session->userdata('logged_in')){ dashboard_page }else{ redirect('login_url') } – balu anand Jun 19 '17 at 07:08
  • @user7234862 i used user method, but it is working only for dashboard, i.e after login i am getting redirected to dashboard but after that if i am trying to go to any other page i am still having the same issue – Sneha Jun 19 '17 at 07:12
  • this is basic. you should look at the answer, it's same thing!! – Rahul Jun 19 '17 at 07:17
  • @user7234862 I apologize, i am still in the learning stage so i am not able to figure out things so quickly – Sneha Jun 19 '17 at 07:20
  • I always found this Q&A exceptionally helpful: https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication – Hexaholic Jun 19 '17 at 07:22

3 Answers3

0

set user session is valid or not in dashboard controller before load dashboard view and also check user session adminid value with uri segment value

 <?php

if (!defined('BASEPATH'))
exit('No direct script access allowed');

class MY_Controller extends CI_Controller {

function __construct() {
    parent::__construct();

    if (!$this->session->userdata('logged_in')) {
        redirect('Login', 'refresh');
    }else{
        $uri_admin_val=$this->uri->segment(2);
        $adminid=$this->session->userdata('adminid')
         if($adminid!=$uri_admin_val){
             redirect('Admin_dashboard/dashboard/' . $adminid);
         }
  }   
  }   
 }

And extend this my controller on dashboard and other controller

<?php
 if (!defined('BASEPATH'))
exit('No direct script access allowed');

class Dashboard extends MY_Controller {

public $data;

public function __construct() {
}  
 }
Reena Mori
  • 647
  • 6
  • 15
  • tried your method, this is working when the user is getting redirected to dashboard after login, but if i click on any other link on dashboard and then change the url, the user is able to view someone else data, is there a way where i can apply this method to all the pages – Sneha Jun 19 '17 at 07:18
  • Make one helper function that should have this code and call that function on restricted pages. – Rahul Jun 19 '17 at 07:23
  • @ sneha you can developed one common controller name is my_controller on core folder and extend on your dashboard,user and other controller where you want check user restrict condition please check my updated code for that – Reena Mori Jun 19 '17 at 07:52
  • And i also suggest you why you can pass admin_id in url you can also get from session – Reena Mori Jun 19 '17 at 07:57
0

Simply do one thing, instead of passing $adminid with the url, get the adminid with session, because you also storing values in session.

Instead of 

redirect('Admin_dashboard/dashboard/' . $adminid);

Use this

redirect('Admin_dashboard/dashboard');

and inside the dashboard function in Controller use this

public function dashboard (){
$admin_data = $this->session->userdata('admin_data');
if(!isset($admin_data['adminid']) || empty($admin_data['adminid'])){
    //Error message Login First
    redirect('admin/index');
}

$adminid = $admin_data['adminid'];
//Proceed with this $adminid
}
Akshay Singhai
  • 189
  • 2
  • 10
0

Simply add this code to all controllers for maintaining user restrictions throughout all URLs.

Class Controller_name extends CI_Controller{
    function __construct(){
    parent::__construct();
    if(!isset($this->session->userdata['logged_in'])){
           //redirect login page
     }

    }
/**
Your Other Functions
**/

}

Let me know If you have anymore doubts..

molagbal
  • 313
  • 3
  • 10
balu anand
  • 81
  • 8