Suggestions on a secure admin login?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Matt Phelps
Forum Commoner
Posts: 82
Joined: Fri Jun 14, 2002 2:05 pm

Suggestions on a secure admin login?

Post by Matt Phelps »

I have a user login script and three types of users - either admin, member or non-member.

I originally built my login with sessions but I need the sessions to last a lot longer than just until the browser is closed so I decided to use cookies instead. I now set two cookies - one for the users name and one for the users admin status if they are admin. If they are not admins then they only get the one cookie.

Problem here is that obviously it is fairly simple for a non-admin member to edit their cookies and find the variable called USTATUS and assign it to a value of ADMIN. This would make it easy peasy to crack the site!

I'd be interested in someone suggesting an alternative way of getting the admin status to be a persistant variable (not having to log in everytime) but making it so that other members can't just edit their cookies and gain access to the admin part of the site.

For example; how is this done with BB software like VB or phpBB?

Perhaps I should encode the 'admin' status with MD5 so that it doesn't look so obvious in the cookie data? How have other people tackled this problem?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Use cookies in conjuction with sessions. Have a cookie for remembering who the person is (to automatically log them in) and use sessions to hold information about admin status whilst the user is browsing your site.

Mac
Matt Phelps
Forum Commoner
Posts: 82
Joined: Fri Jun 14, 2002 2:05 pm

Post by Matt Phelps »

Surely that would mean that the admins would have to relog themselves in somewhere else everytime so that I can authenticate them and start a session?
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

have a cookie like "autologin" and have it store the username and password... maybe encrypted if you feel like it.

and then when they access your site, have it check if the cookie is set, and if it is, automatically log them in.
daemorhedron
Forum Commoner
Posts: 52
Joined: Tue Jul 23, 2002 11:03 am

Post by daemorhedron »

imho, it is better to place the admin value in the session itself and have solid authentication. if all you want to do is extend the timeout's of your sessions, look into the session_set_cookie_params() and the session_get_cookie_params() commands to extend the timeout beyond 0. IIRC, when the cookie is set for 0, it will die when the browser is closed. if you set it for say 60*60*24, that will allow their cookie to live for a day, regardless of wether their browser is open or closed during that time.

HTH
Matt Phelps
Forum Commoner
Posts: 82
Joined: Fri Jun 14, 2002 2:05 pm

Post by Matt Phelps »

I looked at the SET_SESSION_COOKIE stuff and to be honest I found it extremely confusing and complicated. I want persistance of longer than a day or two - I want it for maybe a year or more!
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Surely the user's admin status is stored somewhere other than the cookie? If so you can get the information from the cookie to discover who the person is and then use that to determine their admin status for the session. That way if the person loses admin status it is easier to prevent them access to those sections of the site.

Mac
Post Reply