Password-protecting administrative mode
For simplicity here we shall assume that there is only one administrative mode access level, in other words, there will be only one user who has full access to all back end facilities. Thus there will be only one combination of login and password allowing to access back end.
In Shop-Script FREE administrative mode is accessible through admin.php script.
We will use sessions to protect back end from unauthorized access. This is how the protection is implemented.
When someone runs admin.php, script checks whether authorization form was passed or not:
|
Here ADMIN_LOGIN and ADMIN_PASS (in CHECK #1) are constants which define a combination of administrator login and password. These constants are defined during Shop-Script FREE script installation and saved in the file connect.inc.php located in protected cfg/ folder.
To enhance security, ADMIN_LOGIN is stored and saved in session variables in BASE64 (encoded with base64_encode() function), and ADMIN_PASS is stored in this file and in sessions as MD5 hash ( function md5() ).
Variable $_SESSION["log"] indicates whether visitor input correct login/password and has been authorized as administrator or not.
As you may see, CHECK #1 (see source code fragment above) will unset $_SESSION["log"] in case it does not match ADMIN_LOGIN information from configuration file.
If $_SESSION["log"] variable is not defined, CHECK #2 will redirect customer to authorization form (access_admin.php):
When user inputs login and password in this form, provided information is saved into $_SESSION array and user is redirected to admin.php to pass CHECKs #1 and #2:
|
In case correct login information is provided, customer will be granted to access backend resources and will see back end homepage:
0 comments:
Post a Comment