Jump to content

Recommended Posts

When we build a website, most of the time we have to build an admin panel for that site. But that admin panel must have to be secured from annonymous access. That is our main agenda.

 

in my websites I generally use SESSION variables to protect annonymous access. Like, when user id and password for administrator is checked and if it is ok then I set one session variables (ie: $_SESSION[signup_admin] = "ok"). And I check at the starting of every page of admin panel whether the SESSION variable is set or not (ie. isset($_SESSION[signup_admin])). If the variable is set then I grant access.

 

Now, My question is that how much secure is that process is??? If this is vulnerable than can ne1 plz suggest me a secure access of admin panel. thank u.

Link to comment
https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/
Share on other sites

You could do it the way you are explaining...but this is how I would do it.

 

Put a column in the users table that is called "rank". If the rank is set to "0" they are a regular member, and if it is set to "1" they are an admin.

 

Then just check against that to see if they should have access or not.

You could do it the way you are explaining...but this is how I would do it.

 

Put a column in the users table that is called "rank". If the rank is set to "0" they are a regular member, and if it is set to "1" they are an admin.

 

Then just check against that to see if they should have access or not.

 

 

You r not getting my point. If i dont use ne checking, anyone can access my admin panel page by putting just the address of admin panel address. Like: Suppose, One of my admin panel page is setting.php and the address of the page is www.abc.com/admin/setting.php . now if ne1 only write the address (www.abc.com/admin/setting.php), then he can access the page if i dont check by ne means. So my question was that is my procedure is enough protected or there is ne other more protected procedure?

You might consider keeping your admin pages above root, and include them if the admin credentials are supplied. If you are on a linux server, using htaccess/htpassword will be sufficient. If that isn't good enough, you would have to go with an encrypted connection.

No, that is not secure at all.

 

In this file:

www.abc.com/admin/setting.php

 

You need to CHECK if they are an admin on that page.

 

<?php

if (isset($_SESSION['signup_admin'])){
   //display the admin panel code here

} else {
   echo "You are not an admin!";
}

?>

 

 

You might consider keeping your admin pages above root, and include them if the admin credentials are supplied. If you are on a linux server, using htaccess/htpassword will be sufficient. If that isn't good enough, you would have to go with an encrypted connection.

 

thank u for some prelementary idea. Can u plz elaborate it with some example or online resource or some coding. As far as I know, htaccess is userd for protecting some1 from entering a folder on my site. Can u tell how to use it for admin access. and what do u mean by keeping admin pages above root???

you can use all the session as normall and do it like the bank does.

 

username.

password.

fav color.

form capcha.

 

use md5 sha salt

 

I think the problem is that the session variables that are set o some1's pc that can be findable. That is saved at this format variavle name:encrpted value. So, here as the session variable names are not encrypted, so ne1 can set a variable after knowing its name while he is not authorized and can access the admin panel. How to solve this prob???

 

ne1 new idea xcept using SESSION variable??? like cookies whether SESSION is one kind of cookie.

The way I understand it, the session variables are only stored on the server.  The only thing saved in the cookie on the user's browser is PHPSESSID=long string of letters and numbers.  That cookie is matched up with the session file on the server along with any variables you have set for that person.  So the user doesn't know what session variables you have set for them by examining the cookie.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.