SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Wizard
    Join Date
    Apr 2002
    Posts
    2,307
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    method for implementing a private admin area of site

    hi,

    say i wanted to create an admin only area for a site. on the site is an online store, so the admin area would allow people with the name/pw to access order details, which would include other people's personal details (name, address, phone number, what they've ordered etc., -- but not actual credit card details), so it's quite important that non authorised people can't access this area (they could play serious havoc with the business at the very least), but not ultra critical (as it would be if credit card details were stored/accessible).

    what's the general strategy/method for doing that? i know there's using apache, but say i didn't want to use apache's standard method for doing this, what would be the/a way of implementing it myself?

    any pointer to useful articles or whatever appreciated.

    thanks.

  2. #2
    SitePoint Enthusiast
    Join Date
    May 2003
    Location
    Barbados
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Look into some of the sitepoint books...most notably these two: http://www.sitepoint.com/books/phpmysql1/ and http://www.sitepoint.com/books/phpant1/

    My method of doing this:
    Provide a html form through which the user enters information. This entered data must be validated and verified. Verification is checking to ensure that the user entered information matches information in the database and that the person has the proper access rights (i.e. if only you are to access the admin area then the user must enter your information stored in the database). Validation is ensuring that the entered data meets the rules of the html form (i.e. is the username supposed to be 8-characters long? If the user only entered 5 characters then the form is not submitted but the user is prompted to re-enter the information and are provided an informative error message displaying what mistake they made)
    Therefore, validation must occur before verification but verification is the most important part of the access control. Validation makes it more user-friendly.
    Of course, you maintain the login period by using php sessions. Basically, you create certain session variables for each user that logs in and whenever they access a page, make the php embedded in the page check to see that their session variables are correct. This helps prevent session-hijacking.

    I'd also make use of mysql_real_escape_string for all user input (from the html form). As the sitepoint books say, never trust user input.

  3. #3
    SitePoint Wizard
    Join Date
    Apr 2002
    Posts
    2,307
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    right, so i create a login form which takes a name and password. i check that info against info stored in a normal mysql database and if it passes the tests, set a cookie session. on all the pages i want to be protected simply check that that cookie exists. so really there's nothing special about it at all -- it's normal programming. and that's good enough?

    probably also what should be done is to have a third entry in the database table, further to name and password, that stores the last time the session was used, which obviously should get updated everytime the session is checked correctly, and have a set or settable time where if no access it becomes dead and thereafter re-login is required.

    any value in using some hash function, one way if there is one in php which i'm sure there there must be, on the password and store the one way hashed version of the password? no harm i suppose so may as well.

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2003
    Location
    Barbados
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's right. Don't use cookies though. Use sessions.

    Indeed, you need to keep validating that the login session is valid with each page request. You should also verify that only one person is logged in using a specific login account at any one time.

    As you imply, I use md5 encryption to create a 'hash' and store it in a session variable. I basically encrypt unique data stored about the particular user (for instance, if no two users can have the same lastname then i'll use that) together with a set word. That makes the created hash value unique per user so if someone tries to login using a login account that currently active, I check to see if that there is no corresponding session variable. If so, then I stop the login and log out the currently logged-in user on that account.

    Of course, I'll also provide the forced-logged out user with an error message (Someone else tried to login on your account) so that they know what happened and can change their password if they like.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •