Hi,
I've got a bit of a problem i could do with advice on. Basically I have 5 websites with 5 seperate admin panels, however the code for these admin panels is the same for all 5. Basically the sites are the same, just rebranded carrying different products. If i knew then what i do now i may not have done it this way, however we deal with what we have...
Anyway on top of this I need to create a "master" admin panel. What i'd like to do is be able to log in to the master admin panel, click a link for say "Site A Admin" and be logged in and redirected to that site. Does that make sence?
Global Admin
With links to
- Site A Admin
- Site B Admin
- Site C Admin
- Site D Admin
- Site E Admin
(Click any sub site link to be logged in and redirected to that admin panel)
I think the most secure way of doing this would be to generate some kind of one time login code for each site so if the code is ever found out by an unauthoised user it would no longer be valid. However if anyone has a better suggestion i'd like to hear it (other than don't do it!).
I suppose the best solution to this problem would be to rewrite the sites from the ground up to use one global database and one admin panel. However time constraints mean this really isn't an option, as it could take months.
Any advice you can give will be really appreciated
Thanks
Remote Login For Multiple Sites
Moderator: General Moderators
-
deadoralive
- Forum Commoner
- Posts: 28
- Joined: Tue Nov 06, 2007 1:24 pm
Re: Remote Login For Multiple Sites
If the databases are on one machine, make the global admin connect to all five of them.
If these are remote machines (from the global admin POV) and you would be doing it only for one admin account (i.e. you won't mind a bit of server strain - far from being a problem, unless it happens with many users simultaneously, which I assume is not the case here) you can just simulate the five login processes with curl and let the user hijack the sessions by giving him links containing valid session IDs for all sites.
For this to work, you must have no IP checks, and configure PHP to accept SIDs on the URL.
If these are remote machines (from the global admin POV) and you would be doing it only for one admin account (i.e. you won't mind a bit of server strain - far from being a problem, unless it happens with many users simultaneously, which I assume is not the case here) you can just simulate the five login processes with curl and let the user hijack the sessions by giving him links containing valid session IDs for all sites.
For this to work, you must have no IP checks, and configure PHP to accept SIDs on the URL.
-
deadoralive
- Forum Commoner
- Posts: 28
- Joined: Tue Nov 06, 2007 1:24 pm
Re: Remote Login For Multiple Sites
Thanks for the reply. The websites are all currently on one machine however this may or may not be the case for much longer. Your assumptions were correct, one user account and one person (maybe 2) using the global admin panel at any one time.
What i've ended up doing is similar to how you described.
1. User clicks a link to open one of the sub admin panels
2. Curl used to post a specific username / password from the global site to the sub site clicked.
3. If the username / password is valid the sub site generates and returns a login key, and stores this in its own database against the user logging in.
4. Finally the user is redirected to the site with the login key. The user is then logged in, and the login key is erased.
As an added precaution the sub sites check the $_SERVER['REMOTE_ADDR'] variable to make sure the remote login request is coming from the sever hosting the global admin panel (currently the same machine however as stated this may not always be the case).
What do you think, how secure (or not) is this?
What i've ended up doing is similar to how you described.
1. User clicks a link to open one of the sub admin panels
2. Curl used to post a specific username / password from the global site to the sub site clicked.
3. If the username / password is valid the sub site generates and returns a login key, and stores this in its own database against the user logging in.
4. Finally the user is redirected to the site with the login key. The user is then logged in, and the login key is erased.
As an added precaution the sub sites check the $_SERVER['REMOTE_ADDR'] variable to make sure the remote login request is coming from the sever hosting the global admin panel (currently the same machine however as stated this may not always be the case).
What do you think, how secure (or not) is this?
Re: Remote Login For Multiple Sites
Looks good to me, as you said it's nearly what I proposed (only instead of the built-in sessions mechanism you generate your own key). Additionally you can make curl post to a different page, made especially for that purpose, not the regular login form (although, as I reread your post, maybe this is what you have done). In that way an additional obscurity layer is added between the attacker and the backend.
-
deadoralive
- Forum Commoner
- Posts: 28
- Joined: Tue Nov 06, 2007 1:24 pm
Re: Remote Login For Multiple Sites
Yes the remote login page is completely seperate from the normal login page, as it works slightly differently.
Thanks for your help with this. It's the first time i've run into a situation such as this and wanted a second opinion to make sure i'm doing things securely.
Cheers
Thanks for your help with this. It's the first time i've run into a situation such as this and wanted a second opinion to make sure i'm doing things securely.
Cheers