Jump to content

Archived

This topic is now archived and is closed to further replies.

spartacus

security

Recommended Posts

have a web site that was created in php useing dream weaver, now i have it set up as a forum where people can log in and i also have it set up with an admin page that is hidden to all other users, now i'm just trying to make sure thatt there is now way of some one typeing in the url, like /admin/ to just get there even if they have no permission, if so can you tell me how some one would do that so i can figure out how to block that so my sit will be secure
thanks much

Share this post


Link to post
Share on other sites
er..you programmed an entire forum and you don't know the answers to this? or am i reading that wrong...

there is no way you can prevent the user from typing in blah.com/forum/admin/ or whatever

you would have a login screen just like a normal login for logging into your forum.

or you could check the ip address and if it doesn't match your ip then don't allow access.

Share this post


Link to post
Share on other sites
How exactly are you [i]logging in[/i] users? Using sessions? If your login system is built correctly it shouldn't matter if a user guesses the address of the admin area, they will simply be denied access and redirected back to the main site.

Share this post


Link to post
Share on other sites
If you have coded a forum then surely you have setup some form of permissions? Such as if user has a permission value of 1 they are admins, if they have permission value of 2 they are mods, if they dont have a permission value of 1 or 2 they are normal users.

does your forum usessessions? If it does, do you store the users permission in the session? If you do then you can simply place the following in all your admin pages:
[code]<?php
session_start();

//if the uisers permission level is not equal to 1, they are not authorised, so kill the script
if($_SESSION['permission'] != '1') {
    die("YOU DONT HAVE ACCESS HERE! ONLY AUTHORISED USERS ALLOWED IN THIS AREA!");
}

// rest of admin code[/code]
Thats the most basic way of checking the user has the correct permission.

Share this post


Link to post
Share on other sites
Of course adding a username+pass using a htaccess can make it even more secure.

Orio.

Share this post


Link to post
Share on other sites
[!--quoteo(post=380953:date=Jun 7 2006, 12:56 PM:name=Orio)--][div class=\'quotetop\']QUOTE(Orio @ Jun 7 2006, 12:56 PM) [snapback]380953[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Of course adding a username+pass using a htaccess can make it even more secure.

Orio.
[/quote]

htaccess is very insecure. It sends the username and password in plaintext. You should use a customised login system, ideally over https, for your admin section.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.