#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    198
    Rep Power
    4

    Custom PHP Admin Section


    Hi, I am in the middle of developing (using Codeigniter) a site at the moment and it requires a complex Admin section so that staff can manage various things on the site.

    I am looking for some advice on how I can make the Admin as secure as possible because, like any other site, if someone gains access to the admin section then they could destroy the site in a matter of seconds.

    I was thinking of doing the following:

    01 - setting the admin section up on a sub directory such as adm1nistrat0r.website.com
    02 - securing the admin section with a login section before the admin pages can be accessed
    03 - securing the directory with htaccess

    Can anyone recommend any other methods that I could use? Thanks in advance for your help...
  2. #2
  3. For POny!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Location
    Amsterdam
    Posts
    416
    Rep Power
    115
    #1maybe place the files for the admin section outside of the webroot. In case something goes wrong on the server and your php is outputted as plaintext, I heared this could potentially happen
    #2use a ssl certificate
    #3 bind the admin to certain ip's (whitelist)
    Last edited by aeternus; December 23rd, 2012 at 09:14 AM.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    yeah, you should definitely use TLS/SSL. In addition to that:
    • use strong password hashes with salts, not something like MD5; you can use the PHPass library, for example
    • tell the admins to use strong and unique passwords; they can generate and store them with KeePass
    • for very critical admin actions, require the user to re-enter his password to prevent session stealing and CSRF
    • use form tokens to prevent CSRF (see the link above)


    If you don't make any "stupid" mistake, this should be a pretty solid authentication.

IMN logo majestic logo threadwatch logo seochat tools logo