Recently I have been contemplating the most secure way to setup an admin area on a website. The two options that I was toying with are,
- Create the admin area as part of the main site, require them to register first using their email address as their username, and set them up with an admin level.
- Create a completely separate admin area from the website in which users would not have to register with, but instead would be setup by another admin.
I realize that if I setup the admin area separate from the site, this would require the user to discover that the a开发者_如何学Pythondmin panel is there before they could even try getting into it. How much security does that add?
However, forcing them to register with an email address on the main site ties their account to an email address which I would think helps security a little bit? But putting the admin area on the main site makes it easier to hack, because all the user would need to do is find one bug in the system right?
I guess I could see positives and negatives for both.
I realize that if I setup the admin area separate from the site, this would require the user to discover that the admin panel is there before they could even try getting into it. How much security does that add?
This is what you would call "security through obscurity." Generally speaking its only going to stop the less persistent of hackers. For anybody who is that intent on hacking your site, this will only provide a momentary delay in their success.
Obscurity can still be useful when placed on top of an already otherwise-secure system, though. Use it to keep the average end user from seeing things they don't necessarily want or need to see.
You can also force them to use the separate admin website with an email adress existing on the main site. In fact, do both; add a flag on their main account that says "ok, this one is an admin". This way you can display an iframe on the mainsite that points to the admin site, and anyone connecting on the admin site would have to have this flag setup
Finally, don't forget single sign on; on connecting to any of the sites, create both cookies so they won't have to authenticate at both places (unless they have to by design)
My rule of thumb is this (mostly):
After login, do administrators do stuff in site's design, or are they in some completely different "design" (like most CMSs's back-end). If they stay in the same design (AND site has possiblity to register for users), it makes sense to only create administrator-level accounts on main site.
If there is no option for users to register, have back-end in something like /admin/
and call it a day.
Also, being "hackable" depends on millions of factors, position of login of administrators IMHO not being one of the... well... important.
Definetely it is better to keep separate admin part from the main site.
The first reason is what you said: users have to discover where it is first.
Another thing you could do is to grant access to your admin folder, for example using .htaccess, only to some ip addresses.
By going for the "must be set up by another admin" option you will increase the chances of secure passwords. Better still, generate strong passwords for admins yourself and don't let them choose their own.
As Greg W pointed out, obscurity isn't worth much but is handy to use on top of an already secure setup. I don't think that separating out the admin area from anything else makes it more or less secure in itself - if you have unsecure code in the admin area you are at risk either way.
For general security advice I would recommend Chris Shiflett's site: http://shiflett.org/articles
Force admins to enter their password before updating any data - don't rely on their existing session credentials. PHP Session Security
Using sandboxes.. creating non-visible decoy admin areas pointing nowhere like /admin /manage /administrator will entertain your hacker for a long time.
Also, try keeping the real admin folder out of the public folder (public_html, www).
These practices worked for me.
精彩评论