What is proper way to secure CodeIgniter 2 application with authentication?

To protect an entire controller, you can put the auth check into the __construct() call as eric.itzhak mentioned.

To protect an entire application, you can extend the CI_Controller class, put the auth in the constructor of that file, and then finally extend by MY_Controller instead of CI_Controller in each of your controllers.

Code examples:

/* File: application/core/MY_Controller.php */class MY_Controller extends CI_Controller{    function __construct()    {        parent::__construct();        if ( ! $this->ion_auth->logged_in())        {            redirect('auth/login');        }    }}

And then, in each controller (note MY_Controller, not CI_Controller):

class Controller_name extends MY_Controller{    function __construct()    {        parent::__construct();    }    // rest of controller methods}

These code examples assume you're autoloading (you might as well) the ion auth library. If not, load the library in the MY_Controller file as necessary.

There are two advantages to this method:

1. You only have to change the CI_Controller to MY_Controller in each controller you want to protect.
2. You don't have to protect everything which is helpful if you need to have an unprotected controller, i.e. the controller containing the auth methods (you won't be able to login if your auth controller requires you to be logged in :P -- there will be a redirect loop).

Constructor is the way to go. Something else to think about -- its going to be more flexible if you call your own method instead of Ion Auth directly. typically part of the logged in process is getting unique values that are shown in the view, or an id used to keep track of the session, etc etc. Example: show the user name on the page.

So push the ion auth logged in check to a model, add a method for getting the user info or whatever you need. for each method return false if it doesn't work. and then in your constructor check if it was returned

function __construct() {    parent::__construct(); // load the model $this->load->model( 'customer_model' ); // if logged in, return $this->customer, available to all methods in class if(! $this->customer = $this->customer_model->verifyLogin() )  { redirect('auth/login', 'refresh'); } }  public function index() {   // pass customer to data   $data['customer'] = $this->customer ; // $customer->name will now be available in view } 

I think the right logic would be to check the user status inside the __construct method as it will be done each time the controller is used. it won't protect the entire ci application, just the methods in this controller, but i think this will do for your case.

Try this :

 public function __construct()   {        if (!$this->ion_auth->logged_in())              redirect('auth/login', 'refresh');   }