我在哪里登录我的管理员登录名 [英] where i palce my admin login

问题描述

大家好

我想创建一个具有3个区域的网站:

1-公共区域(主页)
2-会员区
3-管理区

我想要非常安全的管理区域

哪种方法更好:

1-使用管理员和成员的共享登录表单，并使用数据库中的角色字段检测成员或管理员的用户

2-为自己创建个人页面(对任何用户隐藏)，然后从该页面登录到管理区域

请帮助我

非常感谢

Hi All

i want create website that have 3 area :

1 - public area (Main Page)
2 - Member Area
3 - Admin Area

i want very very top level security for admin area

which way is better :

1- use share login form for admin and member and detect user for member or admin with role field in database

2- create personally page (that hide from any user) for myself and login from it to admin area

please help me

thanks a lot

推荐答案

在谈到非常顶级的安全性"时，您实际上没有什么两个问题.我已经看到了用于管理员和成员的不同登录页面以及常见的登录-两者都可以是好是坏.但是请注意，当有人试图攻击您的网站时，没有什么比隐藏页面"更重要的了.
您应该做什么(一点点无序)
1)至少在登录页面上使用https，但对于整个管理部分则更好用
2)永远不要将您的密码存储为纯文本，使用哈希和加盐( http://crackstation.net/hashing-security.htm [ ^ ])
4)在每种情况下都使用输入验证，而不仅限于成员页面
5)永远不要使用字符串串联将用户输入添加到sql语句中
6)使用csrf令牌( https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet [ ^ ])
7)不允许缓存管理页面
8)使用网络服务器 [ php增强 [ ^ ]
9)在丢失密码的情况下使用临时密码模式
10)对每个请求进行身份验证，不仅对入口点进行身份验证
11)比MD5更好地使用自己的会话ID生成器
12)永远不要相信用户输入的合理性！
13)强制使用强密码
...依此类推...

The two question you had don''t actually matter when speaking about "very very top level security". I have seen different login pages for admin and members and common login also - both can be good or poor. But be aware, that there is nothing like "hidden page", when somebody is trying to attack your site.
What you should do (a little bit unordered)
1) use https at least for login page, but even better for the whole admin part
2) never ever store your passwords as plain text, use hashing and salting (http://crackstation.net/hashing-security.htm[^])
4) use input validation in every case, not just for the member pages
5) never use string concatenation to add user input to sql statement
6) use csrf tokens (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet[^])
7) don''t allow caching for the admin pages
8) use web server[^] and php hardening[^]
9) use temporary password pattern for lost password scenario
10) authenticate every request, not only entry points
11) use own session id generator better than MD5
12) never ever believe in user input sanity!
13) enforce strong passwords
... and so on...

我同意ZoltánZörgő的建议.另外，我建议您从可用性(而不是安全性)的角度来考虑它.正如Zoltán正确解释的那样，如果您隐藏"用户页面，则无法提供更好的安全性.您只需将管理页面放入秘密目录"(受密码保护)中，更不用说公共或成员区域中任何锚点中的管理登录页面了.

但是，从可用性的角度来看，这正是您应该做的.管理员登录名应该在单独的页面上.在具有成员登录名的保存页面上具有此登录名根本没有任何意义.首先，为什么访客甚至会看到管理区存在?没有这种情况，因为它们无论如何都无法登录.此外，如果该站点确实经常使用，则其非管理员访问者的数量要多几个数量级；并且该网站正常运行，管理员很少触摸它.因此，当然:用于管理员的单独登录页面.

—SA

I agree with advice by Zoltán Zörgő. In addition, I advise you to think of it in terms of usability, not security. As Zoltán correctly explained, you cannot provide much better security if you "hide" a page from the user. All you can do it to put the admin page in "secret directory" (password-protected itself) and not to mention the admin login page in any anchors in public or member areas.

However, from the standpoint of usability, this is exactly what you should do. Admin login should be on a separate page. Having this login on the save page with member login makes no sense at all. First, why the visitors would even see that the admin area exist? There are no such cases, because they won''t be able to login anyway. Besides, if the site is really used on a regular basis, it has orders of magnitude more regular, non-admin visitors; and, the site is functioning normally, the admin rarely touches it. So, of course: separate login page for admin.

—SA

这篇关于我在哪里登录我的管理员登录名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！