Advice on admin page setup please

[geroid]

I'm working on a website that will have user pages but will also have admin pages. I'm wondering how to set up the admin pages. I'm thinking about security here and I figure I have two choices:

 

1. Put admin pages on the hosting server and allow login by admin just like any other user

 

2. Allow the admin to login off the server (at home) and make changes then upload changes to the hosting server.

 

What is the normal way this is done. I'm concerned about the security of having admin login directly on the server in case it is hacked. I am also concerned about the extra work for admin if login is off the server and they have to upload changes all the time. Can you advice me on this. It's just that the admin part of the site is so sensitive that I would'nt like the possibility of some unauthorised person getting access to it.

[JD*]

What are the admins going to be doing? Are they physically changing the code of the pages, or are they using as a CMS?

 

If they're doing as a CMS, you can set up your security so that every "page" (I use functions) checks to see if they are logged in and if they have access to that area before allowing them in. I use this method and it works very well, it's all based on sessions.

[geroid]

Not sure what a CMS stands for. The typical admin tasks will be to retrieve records, change records, add site content, email users or groups of users etc. What about the admin password. What security can I attach to this?

[JD*]

Not sure what a CMS stands for. The typical admin tasks will be to retrieve records, change records, add site content, email users or groups of users etc. What about the admin password. What security can I attach to this?

 

Content Management System, which is what it looks like you're doing.

 

The way I usually do this is I have a database table that has the username, password (encrypted with md5 usually, although that's not 100% secure) and then a column for each function a person can perform. I can then assign a numerical value to each user for each function (0=no access, 1=normal, 2=admin, or whatever kind you'd like to use).

 

So my main index page looks like this:

 

include("functions.php");
if(isset($_POST['Submit']))
{
    //Handle forms here
} elseif(isset($_GET['action'])) {
    verify_access($_GET['action'])
    $_GET['action']();
} else {
    display_login();
}

 

And then in my function file, I have some of the following:

 

function verify_access($access_type, $return_type = NULL)
{
	$result = mysql_query("SELECT * FROM permissions WHERE ID = '".$_SESSION['id']."'") or die (mysql_error());
	if($return_type == NULL)
	{
		if(mysql_result($result, 0, $access_type) == 0) { $_SESSION['error'] = "no_access"; redirect("?action=home"); }
	} else {
		return mysql_result($result, 0, $access_type);			
	}
}

 

You can then go ahead and program each part of your admin area and give each user specific access, even using the verify_access function with a return value to determine what a user can see inside of a functions (maybe level 1 access for part, level 2 for more, etc).

[geroid]

Thanks for that reply JD*. I'll work on that and hopefully when I get started you can give me some more advice

 

Cheers