Suggestions on a secure admin login?
Posted: Thu Aug 01, 2002 10:45 am
I have a user login script and three types of users - either admin, member or non-member.
I originally built my login with sessions but I need the sessions to last a lot longer than just until the browser is closed so I decided to use cookies instead. I now set two cookies - one for the users name and one for the users admin status if they are admin. If they are not admins then they only get the one cookie.
Problem here is that obviously it is fairly simple for a non-admin member to edit their cookies and find the variable called USTATUS and assign it to a value of ADMIN. This would make it easy peasy to crack the site!
I'd be interested in someone suggesting an alternative way of getting the admin status to be a persistant variable (not having to log in everytime) but making it so that other members can't just edit their cookies and gain access to the admin part of the site.
For example; how is this done with BB software like VB or phpBB?
Perhaps I should encode the 'admin' status with MD5 so that it doesn't look so obvious in the cookie data? How have other people tackled this problem?
I originally built my login with sessions but I need the sessions to last a lot longer than just until the browser is closed so I decided to use cookies instead. I now set two cookies - one for the users name and one for the users admin status if they are admin. If they are not admins then they only get the one cookie.
Problem here is that obviously it is fairly simple for a non-admin member to edit their cookies and find the variable called USTATUS and assign it to a value of ADMIN. This would make it easy peasy to crack the site!
I'd be interested in someone suggesting an alternative way of getting the admin status to be a persistant variable (not having to log in everytime) but making it so that other members can't just edit their cookies and gain access to the admin part of the site.
For example; how is this done with BB software like VB or phpBB?
Perhaps I should encode the 'admin' status with MD5 so that it doesn't look so obvious in the cookie data? How have other people tackled this problem?