Barnacles Posted June 30, 2007 Share Posted June 30, 2007 When we build a website, most of the time we have to build an admin panel for that site. But that admin panel must have to be secured from annonymous access. That is our main agenda. in my websites I generally use SESSION variables to protect annonymous access. Like, when user id and password for administrator is checked and if it is ok then I set one session variables (ie: $_SESSION[signup_admin] = "ok"). And I check at the starting of every page of admin panel whether the SESSION variable is set or not (ie. isset($_SESSION[signup_admin])). If the variable is set then I grant access. Now, My question is that how much secure is that process is??? If this is vulnerable than can ne1 plz suggest me a secure access of admin panel. thank u. Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/ Share on other sites More sharing options...
hackerkts Posted June 30, 2007 Share Posted June 30, 2007 I believe it's safe enough by using session, that's what I always use on my administrator panel. Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286690 Share on other sites More sharing options...
pocobueno1388 Posted June 30, 2007 Share Posted June 30, 2007 You could do it the way you are explaining...but this is how I would do it. Put a column in the users table that is called "rank". If the rank is set to "0" they are a regular member, and if it is set to "1" they are an admin. Then just check against that to see if they should have access or not. Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286693 Share on other sites More sharing options...
Barnacles Posted June 30, 2007 Author Share Posted June 30, 2007 You could do it the way you are explaining...but this is how I would do it. Put a column in the users table that is called "rank". If the rank is set to "0" they are a regular member, and if it is set to "1" they are an admin. Then just check against that to see if they should have access or not. You r not getting my point. If i dont use ne checking, anyone can access my admin panel page by putting just the address of admin panel address. Like: Suppose, One of my admin panel page is setting.php and the address of the page is www.abc.com/admin/setting.php . now if ne1 only write the address (www.abc.com/admin/setting.php), then he can access the page if i dont check by ne means. So my question was that is my procedure is enough protected or there is ne other more protected procedure? Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286697 Share on other sites More sharing options...
sKunKbad Posted June 30, 2007 Share Posted June 30, 2007 You might consider keeping your admin pages above root, and include them if the admin credentials are supplied. If you are on a linux server, using htaccess/htpassword will be sufficient. If that isn't good enough, you would have to go with an encrypted connection. Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286702 Share on other sites More sharing options...
pocobueno1388 Posted June 30, 2007 Share Posted June 30, 2007 No, that is not secure at all. In this file: www.abc.com/admin/setting.php You need to CHECK if they are an admin on that page. <?php if (isset($_SESSION['signup_admin'])){ //display the admin panel code here } else { echo "You are not an admin!"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286703 Share on other sites More sharing options...
Barnacles Posted June 30, 2007 Author Share Posted June 30, 2007 You might consider keeping your admin pages above root, and include them if the admin credentials are supplied. If you are on a linux server, using htaccess/htpassword will be sufficient. If that isn't good enough, you would have to go with an encrypted connection. thank u for some prelementary idea. Can u plz elaborate it with some example or online resource or some coding. As far as I know, htaccess is userd for protecting some1 from entering a folder on my site. Can u tell how to use it for admin access. and what do u mean by keeping admin pages above root??? Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286705 Share on other sites More sharing options...
Barnacles Posted June 30, 2007 Author Share Posted June 30, 2007 ne more ideas??? Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286743 Share on other sites More sharing options...
redarrow Posted June 30, 2007 Share Posted June 30, 2007 you can use all the session as normall and do it like the bank does. username. password. fav color. form capcha. use md5 sha salt Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286747 Share on other sites More sharing options...
Barnacles Posted June 30, 2007 Author Share Posted June 30, 2007 you can use all the session as normall and do it like the bank does. username. password. fav color. form capcha. use md5 sha salt I think the problem is that the session variables that are set o some1's pc that can be findable. That is saved at this format variavle name:encrpted value. So, here as the session variable names are not encrypted, so ne1 can set a variable after knowing its name while he is not authorized and can access the admin panel. How to solve this prob??? ne1 new idea xcept using SESSION variable??? like cookies whether SESSION is one kind of cookie. Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286753 Share on other sites More sharing options...
redarrow Posted June 30, 2007 Share Posted June 30, 2007 we dont do this really all we normally do is set the permission fild to a number and if that number matches enter as admin 1. admin 2.user 3.power user 4.moderator Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286757 Share on other sites More sharing options...
calabiyau Posted June 30, 2007 Share Posted June 30, 2007 The way I understand it, the session variables are only stored on the server. The only thing saved in the cookie on the user's browser is PHPSESSID=long string of letters and numbers. That cookie is matched up with the session file on the server along with any variables you have set for that person. So the user doesn't know what session variables you have set for them by examining the cookie. Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286780 Share on other sites More sharing options...
redarrow Posted June 30, 2007 Share Posted June 30, 2007 correct nearly but there. Quote Link to comment https://forums.phpfreaks.com/topic/57856-solved-security-of-admin-panel/#findComment-286783 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.