So, I have this website I maintain. It has a public facing side and a maintenance side. I wrote the whole thing – but the maintenance side is a hodge podge mixtrure of things and every time I have to change something I have to spend way too long trying to remember how I had things set up to begin with.
So, I decided it was time for a re-write. But I really didn’t want to do everything from scratch so I decided I would try a framework and see where that goes. I settled on Codeignitor (CI). Just because.
Took some time to read through the documentation. It seems simple enough. Has its own twist on loading controllers, models and views. I should backup and say I’ve been using the Zend framework (at work) for a few years now and I’m used to using the Zend autoloader so CI is a bit different.
Now, my application has a secure login . The user’s password is stored SHA-256 encrypted with a random salt value in the user table in the database. When the user logs in, the login time and the session ID are stored in the user table. The user record number is stored in the session. On every page, the session information is verified against what is in the database and the time in the database record is checked against a timeout value. If everything passes, the timeout value in the database is updated. If anything fails, the user is sent back to the login screen. Probably overkill but it is secure and times out the user after 15 minutes of inactivity.
So, first thing I did with CI was a google search of an example of a login screen and the associated processing. All the examples I found were pretty basic – and one didn’t even have the password stored encrypted! The others all used MD5 encryption.
OK, no big deal. I’ve already written all the functions to handle the password and the session – but it was disappointing to see the examples that were in use.
One thing I did notice was that all the examples had the “user” controller as the default controller. I’m just getting into CI but it seems to me that some other controller would be better as the default and then have the login status checked at the constructor with a redirect to a login controller if need be. I’ll see where that goes as I get further into it all.