Codeigniter - stop direct access to a page

Question

I'm building a password reset page, on the finishing steps of this action the user inputs his password and confirms it by inputting the password again, the 2 inputs are compared, if these inputs are equal the password is changed, if not, the user is directed to a page with a "no success message".

Here is my logic:

On the password reset page:

echo form_open("login/password_reseter");

My controller:

   function password_reseter() {
        $password1 = $this->input->post('password');
        $password2 = $this->input->post('password2');
        if ($password1 == $password2) {
            $data["proof"]=1;
            $reg_code = $this->input->post('rec_code');
            $this->load->model("membership_model");
            $this->membership_model->password_reseter($reg_code, $password2);
        }
        else{
            $data["proof"]=0;
        }

        $data["main_content"] = "reset_password_result";
        $this->load->view("includes/template", $data);
    }

And the view:

<?php
if ($proof == 1) {
    ?>
    <div id="loginform">
        Your password has been changed, you may now login.
    </div>
    <?php
} else {
    ?>
    <div id="loginform">
        Your passwords don't match! <a href="javascript:history.back()">Go back.</a>
    </div>
    <?php
}
?>

I have a big security issue though, if this page is accessed directly by URL, all the accounts on my database are getting their password reset, I'd like to stop direct access to this password_reseter page.

Answer 1

Better to use CI_ inbuilt features to do password verification.

$autoload['libraries'] = array('database','email','form_validation');

$autoload['drivers'] = array('session');

CI_CONTROLLER

function save_password_change(){
        $this->form_validation->set_rules('password','password','trim|required|min_length[4]|xss_clean');
        $this->form_validation->set_rules('password_confirm','Password Confirmation','trim|required|matches[password]');
        if($this->form_validation->run() === FALSE){
            echo " Password Change Unsuccessful";
        }
        else{
            $this->load->model('model_password_mgr');       
            $return_value = $this->model_password_mgr->save_password(); 
            if(!$return_value)
                echo " Password Change Unsuccessful ";
            else {
                echo " Password Change Successful";
                redirect("home");
            }   
        }
    }

CI_MODEL

function save_password(){
    $this->db->where('email', $_SESSION['email'] );
    $arr = array( 'password' => $this->input->post('password'));
    $data = $this->db->update('users', $arr);
    if(!$data)
        echo "PASSWORD CHANGE UNSUCCESSFUL";
    else 
        return true;
}

Answer 2

if (!$_SERVER['HTTP_REFERER'])
{
    $this->redirect('error');
}

Answer 3

You should set some session variables when user finishes previous steps. Then check on password_reseter *if those session variables are set* if not redirect them to your desired location.

Answer 4

You code fails because all you do is compare password 1 to password 2.

If a user access the password_reseter function directly, then password1 is null, and password2 is null, so it passes your 'test'.

Furthermore, you then check for "$this->input->post('rec_code')", which will also be null.

I am betting that inside your model code, because "$this->input->post('rec_code')" is null (or false), your WHERE condition is getting ALL the users, and thus resetting all your passwords.

There are so many security issues here I'm not even going to fix your one problem above, but outline how to fix the issue.

I will say this - no offense - but you should not be writing an authentication library. There are so many prepared GOOD STRONG SECURITY focused libraries for codeigniter that you should just use one of them.

I recommend ion_auth, but tank_auth and community_auth are also quite good.

Answer 5

Using htaccess to block the file would be one solution:

<files login/password_reseter.php>
order allow,deny
deny from all
</files>