how easy is it to password protect?

[jacko_162]

i have designed a cms system with my basic knowledge of .php some old .php scripts off a friend and help from this forum, the last thing on my list before i can make my site go live now is to password protect the admin backend.

 

can anyone offer any code snippets or tutorials on how i can achieve this please.

 

 

Thank you very much.

[fert]

use cookies or sessions to check if a person is logged in as an admin and if so allow them to change content.

[revraz]

Assuming you have access to MySQL or a DB, just make some type of Role field in the DB and read it to set their level of access.

[jacko_162]

i do have access to sql, but i dont have a clue about sessions or cookies!?

 

if i want to log in from a number of locations am i best using sessions?! for now i only want one password and username to access the whole control panel but it would be nice to have 2 types of users 1 full control and 1 to just control products??

 

like i said anyone wanna help me with this? or links to code snippets and/or tutorials?!

[revraz]

Search for a PHP Authentication script, you'll find tons.

 

You'll want to use sessions after you log in to track your "Role", and you can use a Cookie if you want to store info so you don't have to log in again when you return.

 

i do have access to sql, but i dont have a clue about sessions or cookies!?

 

if i want to log in from a number of locations am i best using sessions?! for now i only want one password and username to access the whole control panel but it would be nice to have 2 types of users 1 full control and 1 to just control products??

 

like i said anyone wanna help me with this? or links to code snippets and/or tutorials?!

[The Little Guy]

another way would be to use .htpasswd

 

http://koivi.com/php-http-auth/

[br0ken]

The best and most secure way for a novice PHP programmer is to use sessions/cookies.

 

By simply calling session_start() a session id will be assigned to the client. This will be stored in a cookie and sent back and forth between the server and the client untill the session is ended. A session can be ended using session_destroy() or by a user closing their browser/deleteing their cookies.

 

When a client logs in correctly, create a session variable called 'isAuthorised' and set it to true.

 

Every page that requires the client to be authenticated simply check whether or not isAuthorised is true or false.

 

I hope this helps

[psychowolvesbane]

Hi I'm wondering if it is entirely possible for hackers to access the variable and change it so that they could access restricted areas, or is there a possible mixture between Sessions and .htaccess that can be reached that is more secure?

[Stooney]

sessions are server side so the user doesn't have access to change it without some sort of security hole in your script. (as far as I know).

[jacko_162]

this sounds pretty easy(ish) is there anywhere i can go visit to give me an example of this code to use or a tutorial of some sort?!

 

i only need 2x users, one main admin and another to only access product pages (add, deltete, view etc..)

 

Thank you guys

 

p.s i am currently using .htaccess and i am not overly keen on this method as i know it can be worked around..

[aschk]

Create a class heirarchy of authentication, which you can apply to other classes, and then create a single point of entry (i.e. front controller, if you want to google it). This should alleviate some of your issues, or possibly create others if you don't have a great grip of classes.

 

Sessions are you only option really, so go down that road. .htaccess is fine, but unmaintainable...