0

Lets say I have the url http://localhost/home and this is the standard url of a page.

When a user logs in they are redirected to http://localhost/admin/home.

This URL without any routing is actually more like http://localhost/admin/panel/index/home.

Where admin is a folder, panel a controller, index a function and home an extension to give the view.

Can I theoretically check if a user is logged in depending on if the rsegment(2) is equal to 'admin'? or can a user fake the url somehow to break the system.

NB: The panel controller (inside the admin folder) has in its index function an actual login check I wan curious as to if a user would be able to trick the system into not running the index function, or is that secure.

Jai
  • 2,036
  • 4
  • 25
  • 37
  • 3
    So you're relying on security via obscurity? – Brian Driscoll Feb 08 '12 at 19:07
  • 1
    Why is this a question ? Never ever rely on URL structure for authentication. Period ! – Stewie Feb 08 '12 at 19:08
  • Ah the good olde security by obscurity solution – Flukey Feb 08 '12 at 19:08
  • 6
    You should name it `/please/dont/hack/me` :3 – KingCrunch Feb 08 '12 at 19:18
  • @Jai - so if i have understood this correctly: On your your site, if I go here http://yoursite.com/admin/panel/index/home, and i'm not logged in, I will be able to access the admin area? Always validate if the user is authenticated and has permission to view the requested resource.. Always. – Flukey Feb 08 '12 at 19:18
  • sorry forgot to add that first function (i.e. index function) to run in the panel controller will be to check that the user is logged in. I was wondering if the user would be able to somehow bypass the index function in the panel controller? – Jai Feb 08 '12 at 20:08

4 Answers4

1

No, You cannot rely on URI to check if a user is logged in. You have to use an authentication library like TankAuth, or IonAuth.

Also if you need more options you can visit How should I choose an authentication library for CodeIgniter?.

Community
  • 1
  • 1
Vamsi Krishna B
  • 11,039
  • 14
  • 64
  • 93
1

I advise you to read Phil Sturgeon's Post on CI Base Classes. Class inheritance is key for maintaining who can access your controllers and who cannot. The URL contains no kinds of checks itself, but you know it calls a controller. The basic premise is:

If you create a controller called MY_Admin_Controller and all of your administrative controllers inherit from it and you perform the administrative check in MY_Admin_Controller, then you keep your system DRY (Don't Repeat Yourself) because you don't have to check whether or not that user should have access in every single controller. Only Once, and the controllers will inherit that check.

Jordan Arseno
  • 6,790
  • 8
  • 52
  • 96
0

or can a user fake the url somehow to break the system.[?]

Sure, the URL is the most easy part that can be send to a server, you only need a browser with an address bar - which now as I write it, every browser has ;)

hakre
  • 184,866
  • 48
  • 414
  • 792
0

Whaaa?

Your route will point to a controller, if that controller is not secure then its open to public access.

Philip
  • 4,606
  • 2
  • 18
  • 28