On my site, I've got a username login and admin area. Normal users can go to certain parts of the site and change the colour theme etc. Admins can post news and delete users etc. The passwords (held in a MySQL database) are encrypted using one way encryption, so the raw password can never be retrieved from the database. Is that safe enough?
Furthermore, an admin is denoted by the value of the field admin in the database. If they have previously logged in, a session variable id was set, which is their id in the database. To asertain whether they are an admin, a query is used, that gets the value of admin with that id. If it's 1, then they are an admin, else they are not. Is this secure enough? or perhaps there is a better way of doing this? For example, is it possible to say change the session id variable of a normal user, to that of a known admin?
Many thanks,
Chris
