December 23rd, 2012, 08:23 AM
Custom PHP Admin Section
Hi, I am in the middle of developing (using Codeigniter) a site at the moment and it requires a complex Admin section so that staff can manage various things on the site.
I am looking for some advice on how I can make the Admin as secure as possible because, like any other site, if someone gains access to the admin section then they could destroy the site in a matter of seconds.
I was thinking of doing the following:
01 - setting the admin section up on a sub directory such as adm1nistrat0r.website.com
02 - securing the admin section with a login section before the admin pages can be accessed
03 - securing the directory with htaccess
Can anyone recommend any other methods that I could use? Thanks in advance for your help...
December 23rd, 2012, 09:07 AM
#1maybe place the files for the admin section outside of the webroot. In case something goes wrong on the server and your php is outputted as plaintext, I heared this could potentially happen
#2use a ssl certificate
#3 bind the admin to certain ip's (whitelist)
Last edited by aeternus; December 23rd, 2012 at 09:14 AM.
December 23rd, 2012, 09:46 AM
yeah, you should definitely use TLS/SSL. In addition to that:
- use strong password hashes with salts, not something like MD5; you can use the PHPass library, for example
- tell the admins to use strong and unique passwords; they can generate and store them with KeePass
- for very critical admin actions, require the user to re-enter his password to prevent session stealing and CSRF
- use form tokens to prevent CSRF (see the link above)
If you don't make any "stupid" mistake, this should be a pretty solid authentication.