[Resolved] have a safe admin system

mehrzadsoft

i developed a simple admin system for my home page but am worry about security. how can i increase the security in my scripts and admin system too?

Am waiting to get your experinces and hints.

thanks alot

Sxooter

I usually recommend putting everything under apache security, and using a strong password. That way, you don't have to put security in every single page and worry about a mistake in your own security code.

Ravenous

The Apache directives are certainly one way to go, but that doesn't allow him to have administrative functions anywhere.. only in certain directories. I use a simple session variable and some scripts for user management.

For instance, when a user logs into my site, a session variable is set identifying them by their userid ($_SESSION['userid']). Then, whenever needed, I query a table in my database that holds the userids that I've set as administrators. If that userid was found in the table, allow access. Otherwise, don't.

Storing this data in a database has teh drawback of being vulnerable to SQL injections if the rest of the scripts don't do proper input validation, but that is a different issue.

Sxooter

But the advantage of using apache security is that you write all your admin functions with no real security of their own, stick them in one directory, and set that directory to only allow the admin in. Security wise, you can write them to do anything you want. Further, the apache directives can let you limit which hosts can access the directory, further limiting the attack vectors of attackers.

It's generally better to have ONE gatekeeper, so to speak, than a dozen different ones. So, at least use a single include file that is autoincluded at the top of every php page in the admin directory to handle security if you're gonna roll your own.

Apache security has the advantage of having had many eyes look it over for a long time, and that maturity should play into your decision into whether or not to use it.

csn

One problem with Apache security is that the username and password aren't encrypted when sent (or something else like challenge/response used). Unless you want to get a certificate and use https. I'm surprised Apache hasn't developed a better option.

Sxooter

Actually, you can set the encryption to be on now, with the digest keywork.

But the best way to do it is to use [url]https://[/url] which encrypts the whole session.

csn

Ah, I'll have to check into that. Hopefully it's easy to setup/use. Since I've been using WIFI in public places, I've been paranoid about people sniffing if I ever log in to my admin URL's. I've been looking into OpenVPN.