I have a website which has two panels....
1- For Normal user accessible through domain.com
2- For Admins and Moderators accessible through admin.domain.com
When I (or anyone) access admin panel using admin.domain.com. He will be asked to enter username and password...BUT
How can I make this only visible to me (any way of telling server.. hey I am admin show me that page)
One approach came in my mind is to use the route filter for static ips, like hey
Laravel my name is 192.116.45.15... show me that page.
Another approach is to separate my whole admin from server and use it directly from my localhost.
Please tell some more approaches (by the way I use Laravel)
Rather than, doing any server configurations, why don't you use a security field.
Say, along with Username and Password, can you please add a field PIN to the form.
Anyways, this field is again known to you only.
Also, you can use strong passwords to protect your admin panel.
If your approach is want the server differentiate before they login. You can set the admin page only able to accessible by admin user with (IP address).
If they had login from main page. You can get the user role session.
Role Level
1 Admin
2 Moderator
3 Member
If you don't want users to see the admin login page at all you could require special GET parameter that pretty much is a password. e.g. admin.domain.com/ would simply output nothing but admin.domain.com/?5q38cZxyaA would output the login page. As long as you dont publish the link anywhere this is as save as sending a password via post(so its as save as the following real login).
If you have ssh access to the server, you can run the administration panel on some different port say port 3000 and then block that port in firewall with a exception of your own ip.
Related
I'm trying to make something like this:
Basically, I have one site (the main site) where people authenticate and create accounts. Their data is sent to a MySQL database.
On the other side, there’s another site. That site needs the users username (because I’d like to show it) and if they are not logged into their account on the first site, I want the second site to redirect them to the first site where they eventually create and account or login.
I’m also going to give an example where this is used. Let’s take Microsoft, they have their Microsoft accounts and a login page, and other services such as azure and office. They all use Microsoft’s original login without them needing to login each time they open that service, nor even the first time if they are already logged into their Microsoft account.
(I have the main site coded in PHP)
Could you maybe help?
You can use session variable.
In your main site you can save login in a variable like $_SESSION['user_auth_ok']
In every page of both websites you can use:
<?php
session_start();
if (!isset($_SESSION['user_auth_ok'])) {
header("Location: main-site/login.php");
}
So, everytime a not authenticate user try to access a reserved page will redirect to main site login page.
I have a users based site (PHP).
When a user is created, a random password is generated and they have the ability to change it.
The password is saved using
password_hash($password,PASSWORD_DEFAULT)
At login i use password_verify() to check the password and log them in to the site.
The site has an Admin Panel (in different session) and i want to give the Admin the possibility to login users without knowing their password.
I want to know what is the safest way to do so, prefer without 'master password'.
The site :
www.my-site.com
The admin panel :
www.my-site.com/admin/
I think the easiest way to do so would be simply bypassing auth if logged in as admin.
For example, let's say that you have users.php script that lists all users. It also gives you "admin" cookie when logged in as admin.
There you can add button Manage/Panel/anything else, which will take you to admin.php with GET parameter, for example, ?user=someone. Script will check if you have that "admin" cookie, and if you do, will open admin panel.
If you don't have this cookie, it will throw 403 or anything you want.
lemme explain my problem - i wanna develop e-shop in symfony, but i dont know how to configure firewalls. Normally, i use firewall to restrict access in secured areas, like pages administration, but this time some pages should be accessible without login and in case user logs in, i wanna to get his info on those pages.
I can use two firewalls with different providers, one for admins and another for users. But - how to set security to have accessible user's data on pages, that are not under firewall?
Thank you in advance.
That is not what symfony firewalls are for. Firewalls are for Access Validation. Not View Validation.
You want to check the user (if logged in) in the view and show the data.
If the data changes dependend on the user (e.g. different prices), you'll have to check the user inside the controller.
I have a wordpress site, and I want to put a link on that site so that users are redirected to another PHP site.
But here the problem is that the other php site uses authentication, i.e. users need to give username and password before they can enter.
I want to develop a link that users can simply click on and get to the other site directly.
I can give the username and password for the php site, but the requirement is that the user users are not asked for username and password.
you have to make a new php file(in the 'php site') that assign the session variable to the linked users, and then it redirect them to the main page of the 'php site'
U have to write an authentication function on the other php site.. when the user clicks on the link of the wordpress site redirect him to that authentication function, along with his credentials, where the users will get logged in automatically and get redirected to your php site.
if i get you right, i think the best way is to generate the link in wordpress site with a parameter : http://www.linktophpsite.com/?autologin=true
Then at php site you could get the element and if it is set to true, you can log the user to your site. If you want single sign-on on both sites, that's totally different. I recommend you to read articles about single sgn-on on php
If you have no control over the target site, then your options are very limited. You can't just provide access to material that requires login credentials without providing those login credentials.
Your best, and most secure, bet is to include the target site's login fields directly from their site in an iframe. The user logs into the other site, you track the iframe onload event to see that it changed, and then redirect the user to the page in question. This is better because it keeps you from handling the login details directly on your site.
I cannot guarantee that this works as simple as that, I haven't tried it and this page seems to indicate that at least some of the possibilities with cross-domain iframes are no longer relevant with modern browsers (I didn't read the page in detail, just trying to give a starting point).
My client is insistent that there be a single page where both Joomla administrators and users can log in, as opposed to the default Joomla setup where these two groups log in in separate locations (/administrator for the admin). While the reasons for the client's insistence are besides the point, essentially it's a small group where only some users can do CMS type management of articles etc., but they don't want to have to go to separate pages, go figure.
Anyway, is there some sort of extension for this, or would I have to write an authentication plugin to handle? Could the controller for one type of login call the other login and pass through the same credentials, and if so how would that be put into code?
Actually admin users + normal users can log in in the front end (the normal page). Admin users can edit articles their, whereas normal users can't.
All other things (like creating categories etc.) needs to be done in the backend (/administrator/). I suppose you want the following scenario:
1) You log in at your.site.com
2) you click at a link to your.site.com/administrator/
3) and without retyping the password you are logged in into back-end.
As far as I know, a such extension (authentification plugin) does not yet exist. But it should be feasible. At both locations (frontend and backend) the same plugin will be used. So for passing the information that a user is logged in, you could try:
- whether the $_SESSION is the same
- if not, set a cookie with an random id, store this id in the database (together with username), and ask for such a cookie when checking login.
I wouldn't modify the existing login plugin, instead, write a new one with only this alternative login method. All published Authentification Plugins are ORed, i.e. as long as one of them allow to log in, everything is ok.
Tutorial: http://docs.joomla.org/Tutorial:Creating_an_Authentication_Plugin_for_Joomla_1.5