Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Senior Coder durangod's Avatar
    Join Date
    Nov 2010
    Location
    East Texas USA
    Posts
    2,187
    Thanks
    368
    Thanked 58 Times in 56 Posts

    Securing Admin Console

    I have my script written so far to only show the admin console link in the footer only if the user is logged in and only if the user is an admin, that all works great.

    It will kick them out if they try to manually enter the link and they are not logged in or pass the test when that page loads.

    Now for the next step, if they pass those tests and get to the admin console page, is there any reason to revalidate them with another username and password? Is it just as secure to either send them a code via their email or text message for them to verify or even add 2FA (2 Factor Auth) code to work with the 2FA phone app? I use the 2FA phone app and i really like it.

    I am trying to be security concious but also not be security abusive if that makes sense. When an admin needs to get into the panel they probably need to do so rather quickly to get something done and making it just a bit easier for them i am considering doing away with another username PW combo as they already logged in once.

    Thoughts
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  2. #2
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    North Carolina
    Posts
    1,556
    Thanks
    5
    Thanked 247 Times in 244 Posts
    Personally I would consider them having logged in as good enough and not make them provide additional credentials. Unless you are securing nuclear launch codes or something similarly sensitive it's likely just going to make people unhappy and frustrated when all they want to do is get their job done.
    Dave .... HostMonster for all of your hosting needs

  3. #3
    Senior Coder durangod's Avatar
    Join Date
    Nov 2010
    Location
    East Texas USA
    Posts
    2,187
    Thanks
    368
    Thanked 58 Times in 56 Posts
    Thanks djm0219 and good to see you, and that your still hanging out and helping

    So i have a flag(field) in the users table that flags them if they are admin, its an ENUM 0,1 with 1 being an admin. During the original install the flag is set for the main admin then and after that a flag is only set by the main admin for any others they want to be admins as well.

    So how it will work is that when the admin logs in they can see the admin console link at the bottom of the page. What your saying is that they should be able to just click that and go right into admin and get stuff done, is that correct?
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  4. #4
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    North Carolina
    Posts
    1,556
    Thanks
    5
    Thanked 247 Times in 244 Posts
    Yes, I do something similar in several applications I've developed. The latest one allows the first admin to make others admins and take away their admin rights but specifically excludes the current admin from taking away their own rights (to avoid the situation of their being no admins defined at all).

    In my "controller" I use
    PHP Code:
    define('IS_ADMIN',1); 
    if a person is an admin and that is used in conjunction with a function, also defined in the controller, named AdminCheck. On any page that is for admins only I use
    PHP Code:
    AdminCheck();  // only available to admin users - will exit if not admin 
    to make sure that the person is authorized for the page.

    PHP Code:
    function AdminCheck() {

        if (
    defined('IS_ADMIN')) {return;}  // person is logged in and is an admin

        
    echo '<div style="margin-top: 150px;">
              <a class="fauxbutton" href="?page=696" onclick="return true;" title="Continue">Continue</a>
              </div>'
    ;

        exit;  
    // dead stop right here

    }  // end of the AdminCheck function 
    Dave .... HostMonster for all of your hosting needs

  5. Users who have thanked djm0219 for this post:

    durangod (Jun 14th, 2019)

  6. #5
    Senior Coder durangod's Avatar
    Join Date
    Nov 2010
    Location
    East Texas USA
    Posts
    2,187
    Thanks
    368
    Thanked 58 Times in 56 Posts
    Thanks djm this is the first time i have decided to back off on over authorization so i just wanted to clarify. Thanks for the replies.
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •