dongxing1965 2015-07-08 22:29
浏览 68
已采纳

阻止用户访问管理员登录页面

Currently I am setting up an admin login page with PHP and this is how I have it set up.

If the user navigates to website.com/admin, it returns a 404 error. The only way to get access to the admin login is to go to website.com/admin?key=random-string. If the key in the URL doesn't match the key in the database it will return a 404 error. When the key matches it will present you with the admin login.

I thought this was clever to help prevent someone from getting access to the admin login screen, but I am not experienced enough to know if this is true.

  • 写回答

2条回答 默认 最新

  • dongshuo8756 2015-07-09 09:02
    关注

    I thought this was clever to help prevent someone from getting access to the admin login screen, but I am not experienced enough to know if this is true.

    Do not try and defeat an attacker by trying to outwit them. Always assume attackers are clever than you are, and build your security on that model.

    Make your login and session management system is provably secure instead. For example:

    • Employ two factor authentication.
    • Use HTTPS along with Secure cookies and HSTS.
    • Rate limit or lock accounts after a number of failed logins.
    • Make sure you are not vulnerable to session fixation.
    • Make sure you are not vulnerable to user enumeration.

    Checkout the Session Management Cheat Sheet for some more pointers.

    Also, don't use secrets in the URL itself. Even though these are protected if HTTPS is used, they are logged in browser and proxy history, by server logs by default, and can be leaked in referer headers.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度