#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0

    File Location for admin login files


    Where should the files for a Admin login system be located for the best security. I have been struggling to grasp the security side of the logins. Every site I look at seems to be so different that I am just about to give up.

    I decided to scrap Adam's script for newer script. I am going to go with "How to program a basic but secure login system using PHP and MySQL" tutorial and use similar code. The question that I have is where should these files actually reside. I am going to have folder named storeadmin that will house the admin side of the website. Do I need a scripts folder to place the login files in or do I place them in the same folder as the index.php?

    On a side note, I tried to email the poster of the tutorial and I was redirected to a page denying my request. Is that due to something I have done?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    the location of the script is irrelevant with regard to security. I mean, modern frameworks don't even have a separate script for each page.

    If you use the classical approach, however, it does make sense to put all scripts in an "admin" folder to emphasize that these functionalities have to be carefully secured.

    As to the "secure login" tutorial: It's a good reference, but you should replace the hash algorithm with PHPass. Inventing your own algorithm isn't really a good idea, because you (usually) don't have experts and a big community to review and test it. So it's better to go with an established and well-tested solution like PHPass, which has actually proven itself on big sites.
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    98
    Rep Power
    2
    If you're using a database I've heard placing the database connection script files with the db pw and username outside of your root directory helps stop people who want to download your entire site with 3rd party tools, and gain access to your passwords.
    -- Success achieved from tribulation --
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0

    yes


    Currently I use a connect_to_msql.php and I have it in a folder seperate than the root folder.

    PHP Code:
    Root folder (www)
       |
       |
       |-----
    script folder
       
    |           |---------connect_to_mysql.php
       
    |
       |-----
    admin folder
       
    |           |
       |           |-------
    styles folder
       
    |           |
       |           |
       |           --
    index.php
       
    |           --admin_login.php 

    Is that secure enough? If so, what chmod does folder and files need?

IMN logo majestic logo threadwatch logo seochat tools logo