checking if a users logged in

Question

What is the most secure way of checking if a user is logged in? I am using php's framework, codeigniter.

$loggedIn = $this->session->userdata('is_logged_in'); // returns 1
if($loggedIn == true): ?>
    // do something
<?php endif; ?>

Does it matter if this code is in the controller or in a view?

Answer 1

Well, the view is for the presentation logic and in this case you should keep the code in the controller but if it relates with the view, for example, if you have a navigation and if you show different menu for a logged in user then you can use in your controller

$loggedIn = $this->session->userdata('is_logged_in');
// ....
$data['loggedIn'] = $loggedIn;
$this->load->view('viewname', $data)

and pass the variable to the view from the controller and then in the view you can check

<?php if($loggedIn ): ?>
    // Show menu for logged in user
<?php else: ?>
    // Show a different menu
<?php endif; ?>

Keep only some loops like foreach to build a menu or populating a dropdown e.t.c and if statements (when needed) in the view.

Answer 2

When you _construct the controller, you could find if they are logged in or not from the get-go. If they aren't, send them to the login screen:

function __construct() {
    parent::__construct();
    if (!$this->session->userdata('logged_in')) { 
            redirect('YourLoginController');
    }
}

This should definitely be in the controller.

You could also create a base controller to extend your regular CI_Controller, look up the MY_Controller concept in the docs. In there, you could add a method that checks for authentication and redirects if not, and then call it in your controller methods that require authentication:

class MY_Controller extends Controller{
    public $data = array();
    function _construct() {
        parent::_construct();
        $data['logged_in'] = $this->session->userdata('logged_in');
    }

    function authenticated() {
        if (!$this->data['logged_in']) { 
            redirect('YourLoginController');
        }
    }
}

And then in YOUR controller:

class Some_Controller extends MY_Controller {
    function _construct() {
        parent::_construct();
    }

    // If a method requires authentication
    function someMethod() {
        $this->authenticated(); //This does nothing if logged in
                                //It redirects to login if not logged in
        //Your stuff.
    }

    //If a method DOESN'T require login, your $this->data to 
    //pass to the view has already been started from MY_Controller
    //so append the display content you need to that array and 
    //then pass it to the view
    function someOtherMethod() {
        $this->data['somecontent'] = "I'm content";
        $this->load->view('someView',$this->data);
    }
}

Using a concept created from the someOtherMethod() you could then utilize the variable $logged_in in your view to change the content based on a user's authentication status.