CMS Security

Hi peeps.

I've just built my first custom CMS using PHP and MySQL.

I've put all the admin pages in the directory mydomain.com/cms

I'm new to web security issues, so could I get people's opinions on the best way of securing these pages:

1. From being edited by people naughty enough to want to do so?

2. From Google and other search engines indexing the pages to assist those mentioned in 1.?

Thanks in advance for any suggestions.

Chris

Use sessions,
on login, the user get's two session like so:
$_SESSION['user'] = $username (from $_POST and will be queried to log in)
$_SESSION['seskey'] = $md5(rand(1000, 9999));

and the mysql table with have at least three columns (username, password, session)

when the user logs in the random session will be put in their session and mysql table.

hope you follow

Hi Alex - cheers for the response.

Erm, I'm a little confused...

So a session variable runs for the course of the session presumably, i.e. until the user closes their browser window?

I understand the principle of the username and password in a table that I can then match with the login details that are posted, but what about the session column, what does that do?

The random number thing has thrown me a little too.

Yes the session will be there until the browser is closed (or if session_destroy() is called)

The purpose of the session column is that the random session is unique to the user for that period of time.

Hackers can change their session to make them seem as someone else.
example:
The script checks to see what username is in the 'user' session, if it finds a match it will show that users private messages.
so tom comes along with a session user that will look like this:
$_SESSION['user'] = "tom";

Now if Tom where to edit this with some easy to find tools, he could change it to:

$_SESSION['user'] = "Frank";

Giving him access to all Frank's messages.

The session 'seskey' (almost) stops this.
example 2.
the same as before except the script checks to the user session and the seskey session. So Tom is:
$_SESSION['user'] = "tom";
$_SESSION['seskey'] = "gifj87er8934uerfjdi" //random string

the script will find the username and match it and will find that the seskey matches the session column, granting him access to his mail.
Now if Tom tried to change his session again he could change his user session to frank fine, but it could take him days to generate the random session to access franks mail.

As Toms session is:
$_SESSION['seskey'] = "gifj87er8934uerfjdi"
and Franks could be:
$_SESSION['seskey'] = "cdjijf8574jfd84899"
or anything! and Tom would have to go through every single combination until he had the right match.

You cannot stop him from doing that (at least not a way I know) but you can make him have to generate ridiculous amounts to get access.

If you follow, I will go on else I will try and explain further.

P.S. I spent ages on that ha! Should be a newsletter tut!

Yes, Alex is correct. Applying a password to the admin area makes the most since. You would do this though sessions in your PHP file. Perhaps this URL will help get you started with using sessions with PHP.

http://www.developertutorials.com/tu...620/page1.html

May I ask, how will you check if the user is already log-in? I mean, if I'm already log-in, they cannot log-in using my Username. It will prompt the user that the Username is already Log-in.