Page 1 of 1

Suggestions on a secure admin login?

Posted: Thu Aug 01, 2002 10:45 am
by Matt Phelps
I have a user login script and three types of users - either admin, member or non-member.

I originally built my login with sessions but I need the sessions to last a lot longer than just until the browser is closed so I decided to use cookies instead. I now set two cookies - one for the users name and one for the users admin status if they are admin. If they are not admins then they only get the one cookie.

Problem here is that obviously it is fairly simple for a non-admin member to edit their cookies and find the variable called USTATUS and assign it to a value of ADMIN. This would make it easy peasy to crack the site!

I'd be interested in someone suggesting an alternative way of getting the admin status to be a persistant variable (not having to log in everytime) but making it so that other members can't just edit their cookies and gain access to the admin part of the site.

For example; how is this done with BB software like VB or phpBB?

Perhaps I should encode the 'admin' status with MD5 so that it doesn't look so obvious in the cookie data? How have other people tackled this problem?

Posted: Thu Aug 01, 2002 10:54 am
by twigletmac
Use cookies in conjuction with sessions. Have a cookie for remembering who the person is (to automatically log them in) and use sessions to hold information about admin status whilst the user is browsing your site.

Mac

Posted: Thu Aug 01, 2002 12:23 pm
by Matt Phelps
Surely that would mean that the admins would have to relog themselves in somewhere else everytime so that I can authenticate them and start a session?

Posted: Thu Aug 01, 2002 4:25 pm
by hob_goblin
have a cookie like "autologin" and have it store the username and password... maybe encrypted if you feel like it.

and then when they access your site, have it check if the cookie is set, and if it is, automatically log them in.

Posted: Thu Aug 01, 2002 10:00 pm
by daemorhedron
imho, it is better to place the admin value in the session itself and have solid authentication. if all you want to do is extend the timeout's of your sessions, look into the session_set_cookie_params() and the session_get_cookie_params() commands to extend the timeout beyond 0. IIRC, when the cookie is set for 0, it will die when the browser is closed. if you set it for say 60*60*24, that will allow their cookie to live for a day, regardless of wether their browser is open or closed during that time.

HTH

Posted: Thu Aug 01, 2002 10:36 pm
by Matt Phelps
I looked at the SET_SESSION_COOKIE stuff and to be honest I found it extremely confusing and complicated. I want persistance of longer than a day or two - I want it for maybe a year or more!

Posted: Fri Aug 02, 2002 2:24 am
by twigletmac
Surely the user's admin status is stored somewhere other than the cookie? If so you can get the information from the cookie to discover who the person is and then use that to determine their admin status for the session. That way if the person loses admin status it is easier to prevent them access to those sections of the site.

Mac