Page 1 of 1

hidden admin area

Posted: Tue Nov 15, 2005 5:39 pm
by bredoteau
Hi there,

this is maybe not a real php code question, but... I have coded an online shop with an admin area.
The shop itself is secured, but the admin area is not at all. It is just in some other folder.

-> is it likely that hackers will find the folder if I put it to some localtion like lnfduj38834kdbuHFGH/dkfk6/admin.php ?? The folders are usually not viewable because each folder has an index.html file (is that a real security? Does it prevent ppl from browsing the folders??)
The admin area not only controls the shop functions, but also can reveal sensitive customer information.

Any way to simply keep out all ppl instead of fixing every single problem individually?


Thanks for the help!

Posted: Tue Nov 15, 2005 5:42 pm
by Zoxive
Why don't you make it some random folder, AND have it passworded?

You could make your own login thing, or for even more security, use .htaccess for the whole folder...

-NSF

Posted: Tue Nov 15, 2005 5:45 pm
by timvw
As soon as an admin surfs to a different site, there is a chance his browser will pass a HTTP_REFERRER header..

The simplest/faststest/laziest solution would be to use http://www.apacheweek.com/features/userauth.

Posted: Tue Nov 15, 2005 8:34 pm
by Ambush Commander
I don't think putting the admin cp in a random folder gives that much of a benefit. Just make sure you have strong passwords.

Posted: Thu Nov 17, 2005 12:47 am
by AGISB
Always avoid security by obscurity.

It would be so easy to protect the folder either by .htaccess

Posted: Thu Nov 17, 2005 12:52 am
by RobertGonzalez
strong passwords, super-picky authentication and login name validation, short term sessions and limited secure data viewing are a decent place to start. I have developed admin areas that require upward of eight different validation steps before ever checking the database for an account. I have also developed areas that do not show critical information fully so that even if someone managed to get into the admin area they would only be able to get their hands on partial information.

Of course this is all script side prevention measures. There are so many other ways that hackers could break in it is sick. But you at least want to make it difficult for them to get in through the front door.