January 23rd, 2013, 02:25 AM
File Location for admin login files
Where should the files for a Admin login system be located for the best security. I have been struggling to grasp the security side of the logins. Every site I look at seems to be so different that I am just about to give up.
I decided to scrap Adam's script for newer script. I am going to go with "How to program a basic but secure login system using PHP and MySQL" tutorial and use similar code. The question that I have is where should these files actually reside. I am going to have folder named storeadmin that will house the admin side of the website. Do I need a scripts folder to place the login files in or do I place them in the same folder as the index.php?
On a side note, I tried to email the poster of the tutorial and I was redirected to a page denying my request. Is that due to something I have done?
January 23rd, 2013, 04:56 AM
the location of the script is irrelevant with regard to security. I mean, modern frameworks don't even have a separate script for each page.
If you use the classical approach, however, it does make sense to put all scripts in an "admin" folder to emphasize that these functionalities have to be carefully secured.
As to the "secure login" tutorial: It's a good reference, but you should replace the hash algorithm with PHPass. Inventing your own algorithm isn't really a good idea, because you (usually) don't have experts and a big community to review and test it. So it's better to go with an established and well-tested solution like PHPass, which has actually proven itself on big sites.
January 23rd, 2013, 05:41 PM
If you're using a database I've heard placing the database connection script files with the db pw and username outside of your root directory helps stop people who want to download your entire site with 3rd party tools, and gain access to your passwords.
-- Success achieved from tribulation --
January 24th, 2013, 05:24 AM
Currently I use a connect_to_msql.php and I have it in a folder seperate than the root folder.
Root folder (www)
| |-------styles folder
Is that secure enough? If so, what chmod does folder and files need?