Jump to content

Recommended Posts

Ok.. I have made an admin section for a couple of sites, and it works fine, alough i'm almost certain that the way i have done it is not the "proper way".

 

What I have done is had a form with a password field that sends the password via POST to another script that checks the password is correct via variable, something like this:

<?php

  $pass = $_POST["pass"];
  $correct = "imapassword";

  if($pass == $correct){
    
  //display contents of page

  else{
  //return user to login screen
  }
?>

 

And then it saves the password into a cookie, that dies either over time or when the browser closes. And then on each page it tests wether that cookie is still there and is correct. When the user wants to log out it just destroys the cookie.

 

This seems like a really hashed up way of doing it, could anybody let me know the bare essentials for making a similar system, but the "right way". Thankyou in advance

Link to comment
https://forums.phpfreaks.com/topic/234272-admin-login-the-correct-way/
Share on other sites

Yep that's a bad way to do it.  A better way is to check the password and store a variable in $_SESSION, such as $_SESSION['admin_login'] = true.  An even better way is to compare against a salted md5 hash as Muddy is suggesting, and THEN set $_SESSION['admin_login'] = true.  Storing the password in a cookie leaves too many opportunities for the password to be observed by someone else.

 

Make sure you empty the session on logout and set $_SESSION['admin_login'] false when appropriate (such as when another user logs in).

I would never think about storing a password value in plain text (not in the code, and certainly not on an EU's computer).  Look into encypting and the use of SALT for password info.

Yep that's a bad way to do it.  A better way is to check the password and store a variable in $_SESSION, such as $_SESSION['admin_login'] = true.  An even better way is to compare against a salted md5 hash as Muddy is suggesting, and THEN set $_SESSION['admin_login'] = true.  Storing the password in a cookie leaves too many opportunities for the password to be observed by someone else.

 

Make sure you empty the session on logout and set $_SESSION['admin_login'] false when appropriate (such as when another user logs in).

 

+1. Take a look at this article and give the dynamic salt a try.

Awesome thanks guys, and thanks for that artical explaining salt coz' i didn't know what it was. Seems like the best solution to me! But still I dont really see the problem with testing the password in the first place in my script like:

 

if($password == "imapasswordlol")

 

Coz if the person whos hacking has managed to get to your scripts then your screwed anyway.

Not really - your script is stored and run on the server before it is sent to the EU.  Thus, getting access to the code on the page is pretty hard to do.  however, if you start sending information too and from the server in a plain text format - then life gets easier for whom ever it is that would want to screw you over in the first place (its 99% kids with too much time and too little respect).

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.