⏱ Estimated reading time: 3 min

Authentication System in CodeIgniter (CodeIgniter 4)

An authentication system verifies a user’s identity and controls access to protected areas of your application. In CodeIgniter 4, authentication is typically built using sessions, models, validation, and filters.

1. Core Components of Authentication

An authentication system usually includes:

• User registration

• Login

• Logout

• Session handling

• Password hashing

• Route protection (filters)

2. Database Structure (Users Table)

Migration Example

$this->forge->addField([
    'id' => [
        'type' => 'INT',
        'auto_increment' => true,
        'unsigned' => true
    ],
    'username' => [
        'type' => 'VARCHAR',
        'constraint' => 100
    ],
    'email' => [
        'type' => 'VARCHAR',
        'constraint' => 150
    ],
    'password' => [
        'type' => 'VARCHAR',
        'constraint' => 255
    ],
    'created_at DATETIME DEFAULT CURRENT_TIMESTAMP'
]);

$this->forge->addKey('id', true);
$this->forge->createTable('users');

3. User Model

app/Models/UserModel.php

namespace App\Models;

use CodeIgniter\Model;

class UserModel extends Model
{
    protected $table = 'users';
    protected $allowedFields = ['username', 'email', 'password'];
}

4. Registration (Signup)

Controller

public function register()
{
    return view('auth/register');
}

public function save()
{
    $rules = [
        'email'    => 'required|valid_email|is_unique[users.email]',
        'password' => 'required|min_length[6]'
    ];

    if (! $this->validate($rules)) {
        return redirect()->back()->withInput();
    }

    $model = new UserModel();

    $model->save([
        'username' => $this->request->getPost('username'),
        'email'    => $this->request->getPost('email'),
        'password' => password_hash(
            $this->request->getPost('password'),
            PASSWORD_DEFAULT
        )
    ]);

    return redirect()->to('/login');
}

✔ Uses password_hash() for security

5. Login

Controller

public function login()
{
    return view('auth/login');
}

public function authenticate()
{
    $model = new UserModel();
    $user = $model->where(
        'email',
        $this->request->getPost('email')
    )->first();

    if (! $user) {
        return redirect()->back()->with('error', 'User not found');
    }

    if (! password_verify(
        $this->request->getPost('password'),
        $user['password']
    )) {
        return redirect()->back()->with('error', 'Invalid password');
    }

    session()->set([
        'user_id'   => $user['id'],
        'logged_in' => true
    ]);

    return redirect()->to('/dashboard');
}

6. Logout

public function logout()
{
    session()->destroy();
    return redirect()->to('/login');
}

7. Protecting Routes with Filters

Create Auth Filter

php spark make:filter Auth

public function before($request, $arguments = null)
{
    if (! session()->get('logged_in')) {
        return redirect()->to('/login');
    }
}

Apply Filter

$routes->group('dashboard', ['filter' => 'auth'], function($routes) {
    $routes->get('/', 'Dashboard::index');
});

8. Flash Messages (Login Errors)

session()->setFlashdata('error', 'Invalid credentials');

View:

<?= session()->getFlashdata('error') ?>

9. Remember Me (Optional – Cookie)

• Store token in DB

• Save encrypted token in cookie

• Validate on next visit

⚠️ Never store passwords in cookies.

10. Best Practices

✅ Always hash passwords
✅ Use session-based authentication
✅ Protect routes with filters
✅ Use CSRF protection
❌ Never store plain-text passwords

11. Built-in Authentication Option

For production apps, consider:

• CodeIgniter Shield (Official auth package)

• OAuth (Google, GitHub, etc.)

Summary

• Authentication = login + session + filters

• CodeIgniter provides all required tools

• Can be custom-built or use Shield

• Essential for secure applications