Jump to content

[SOLVED] Security of Admin Panel

Barnacles

By Barnacles
in PHP Coding Help

 Share

Recommended Posts

Barnacles Newbie

Barnacles

Posted
Posted

When we build a website, most of the time we have to build an admin panel for that site. But that admin panel must have to be secured from annonymous access. That is our main agenda.

 

in my websites I generally use SESSION variables to protect annonymous access. Like, when user id and password for administrator is checked and if it is ok then I set one session variables (ie: $_SESSION[signup_admin] = "ok"). And I check at the starting of every page of admin panel whether the SESSION variable is set or not (ie. isset($_SESSION[signup_admin])). If the variable is set then I grant access.

 

Now, My question is that how much secure is that process is??? If this is vulnerable than can ne1 plz suggest me a secure access of admin panel. thank u.

Link to comment
Share on other sites
pocobueno1388 Regular Member

pocobueno1388

Posted
Posted

You could do it the way you are explaining...but this is how I would do it.

 

Put a column in the users table that is called "rank". If the rank is set to "0" they are a regular member, and if it is set to "1" they are an admin.

 

Then just check against that to see if they should have access or not.

Link to comment
Share on other sites
Barnacles Newbie

Barnacles

Posted
  • Author
Posted

You could do it the way you are explaining...but this is how I would do it.

 

Put a column in the users table that is called "rank". If the rank is set to "0" they are a regular member, and if it is set to "1" they are an admin.

 

Then just check against that to see if they should have access or not.

 

 

You r not getting my point. If i dont use ne checking, anyone can access my admin panel page by putting just the address of admin panel address. Like: Suppose, One of my admin panel page is setting.php and the address of the page is www.abc.com/admin/setting.php . now if ne1 only write the address (www.abc.com/admin/setting.php), then he can access the page if i dont check by ne means. So my question was that is my procedure is enough protected or there is ne other more protected procedure?

Link to comment
Share on other sites
sKunKbad Advanced Member

sKunKbad

Posted
Posted

You might consider keeping your admin pages above root, and include them if the admin credentials are supplied. If you are on a linux server, using htaccess/htpassword will be sufficient. If that isn't good enough, you would have to go with an encrypted connection.

Link to comment
Share on other sites
pocobueno1388 Regular Member

pocobueno1388

Posted
Posted

No, that is not secure at all.

 

In this file:

www.abc.com/admin/setting.php

 

You need to CHECK if they are an admin on that page.

 

<?php

if (isset($_SESSION['signup_admin'])){
   //display the admin panel code here

} else {
   echo "You are not an admin!";
}

?>

 

 

Link to comment
Share on other sites
Barnacles Newbie

Barnacles

Posted
  • Author
Posted

You might consider keeping your admin pages above root, and include them if the admin credentials are supplied. If you are on a linux server, using htaccess/htpassword will be sufficient. If that isn't good enough, you would have to go with an encrypted connection.

 

thank u for some prelementary idea. Can u plz elaborate it with some example or online resource or some coding. As far as I know, htaccess is userd for protecting some1 from entering a folder on my site. Can u tell how to use it for admin access. and what do u mean by keeping admin pages above root???

Link to comment
Share on other sites
Barnacles Newbie

Barnacles

Posted
  • Author
Posted

you can use all the session as normall and do it like the bank does.

 

username.

password.

fav color.

form capcha.

 

use md5 sha salt

 

I think the problem is that the session variables that are set o some1's pc that can be findable. That is saved at this format variavle name:encrpted value. So, here as the session variable names are not encrypted, so ne1 can set a variable after knowing its name while he is not authorized and can access the admin panel. How to solve this prob???

 

ne1 new idea xcept using SESSION variable??? like cookies whether SESSION is one kind of cookie.

Link to comment
Share on other sites
calabiyau Member

calabiyau

Posted
Posted

The way I understand it, the session variables are only stored on the server.  The only thing saved in the cookie on the user's browser is PHPSESSID=long string of letters and numbers.  That cookie is matched up with the session file on the server along with any variables you have set for that person.  So the user doesn't know what session variables you have set for them by examining the cookie.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.