I have a user login script and three types of users - either admin, member or non-member.
I originally built my login with sessions but I need the sessions to last a lot longer than just until the browser is closed so I decided to use cookies instead. I now set two cookies - one for the users name and one for the users admin status if they are admin. If they are not admins then they only get the one cookie.
Problem here is that obviously it is fairly simple for a non-admin member to edit their cookies and find the variable called USTATUS and assign it to a value of ADMIN. This would make it easy peasy to crack the site!
I'd be interested in someone suggesting an alternative way of getting the admin status to be a persistant variable (not having to log in everytime) but making it so that other members can't just edit their cookies and gain access to the admin part of the site.
For example; how is this done with BB software like VB or phpBB?
Perhaps I should encode the 'admin' status with MD5 so that it doesn't look so obvious in the cookie data? How have other people tackled this problem?
Suggestions on a secure admin login?
Moderator: General Moderators
-
Matt Phelps
- Forum Commoner
- Posts: 82
- Joined: Fri Jun 14, 2002 2:05 pm
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
-
Matt Phelps
- Forum Commoner
- Posts: 82
- Joined: Fri Jun 14, 2002 2:05 pm
- hob_goblin
- Forum Regular
- Posts: 978
- Joined: Sun Apr 28, 2002 9:53 pm
- Contact:
-
daemorhedron
- Forum Commoner
- Posts: 52
- Joined: Tue Jul 23, 2002 11:03 am
imho, it is better to place the admin value in the session itself and have solid authentication. if all you want to do is extend the timeout's of your sessions, look into the session_set_cookie_params() and the session_get_cookie_params() commands to extend the timeout beyond 0. IIRC, when the cookie is set for 0, it will die when the browser is closed. if you set it for say 60*60*24, that will allow their cookie to live for a day, regardless of wether their browser is open or closed during that time.
HTH
HTH
-
Matt Phelps
- Forum Commoner
- Posts: 82
- Joined: Fri Jun 14, 2002 2:05 pm
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
Surely the user's admin status is stored somewhere other than the cookie? If so you can get the information from the cookie to discover who the person is and then use that to determine their admin status for the session. That way if the person loses admin status it is easier to prevent them access to those sections of the site.
Mac
Mac