your vie won this type of implementation

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
senthil
Forum Newbie
Posts: 12
Joined: Wed Jan 15, 2003 6:42 pm

your vie won this type of implementation

Post by senthil »

Hi,

My client wants me to create a admin page for him, which should display all the user accounts along with a checkbox, with a delepe option. And this page should be displayed only if the user is admin. (I have auto delete scheduler, but he wants this option so he can delete some user manually)

As you can see the issue is, if any user gets the admin username and password, he can login and delete all the users.

So, I created a seperate page for admin login. The home page has a link for users login page, login.php. Now I have created adminlogin.php. There is no link in the website that points to this page. So, one has to know the specific url, in addition to the admin username and password to enter and delete all the information.

I'm wondering whether this is sufficient or not? Or is it good idea to have this sort of page. Or is there anyother way to do this?

Thank you
senthil
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

Well, I would rename the file to something other then "adminlogin.php". In example, do something like: "lsadfjklasdjlfjlskdfsdf_aLogin.php", where it's impossible to guess the file's name.
Image Image
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

but the administrator is responsible for choosing a good password. Without that you can make the login as secure as you want, it's void ;)
For example you can force a minimum length and the appearance of certain characters (len: 8+ chars, at least 1 digit, 1 non-alphanum char [,;!$%...]).
Let the script disable transid support and set the session lifetime to 0 (until browser is closed) via ini_set.
Wether it is worth to use https or not is up to you.
Post Reply