hidden admin area

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

hidden admin area

Post by bredoteau »

Hi there,

this is maybe not a real php code question, but... I have coded an online shop with an admin area.
The shop itself is secured, but the admin area is not at all. It is just in some other folder.

-> is it likely that hackers will find the folder if I put it to some localtion like lnfduj38834kdbuHFGH/dkfk6/admin.php ?? The folders are usually not viewable because each folder has an index.html file (is that a real security? Does it prevent ppl from browsing the folders??)
The admin area not only controls the shop functions, but also can reveal sensitive customer information.

Any way to simply keep out all ppl instead of fixing every single problem individually?


Thanks for the help!
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

Why don't you make it some random folder, AND have it passworded?

You could make your own login thing, or for even more security, use .htaccess for the whole folder...

-NSF
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

As soon as an admin surfs to a different site, there is a chance his browser will pass a HTTP_REFERRER header..

The simplest/faststest/laziest solution would be to use http://www.apacheweek.com/features/userauth.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I don't think putting the admin cp in a random folder gives that much of a benefit. Just make sure you have strong passwords.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Always avoid security by obscurity.

It would be so easy to protect the folder either by .htaccess
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

strong passwords, super-picky authentication and login name validation, short term sessions and limited secure data viewing are a decent place to start. I have developed admin areas that require upward of eight different validation steps before ever checking the database for an account. I have also developed areas that do not show critical information fully so that even if someone managed to get into the admin area they would only be able to get their hands on partial information.

Of course this is all script side prevention measures. There are so many other ways that hackers could break in it is sick. But you at least want to make it difficult for them to get in through the front door.
Post Reply