How to interact with cookie for admin panel?

Y

YariKartoshe4ka2020-03-18 14:59:56

HTTP Cookies

YariKartoshe4ka, 2020-03-18 14:59:56

I have my own website. It was necessary to make an admin panel, i.e. when I go to /admin , a panel with admin goodies opens (you must first enter your login and password). I thought maybe solve this with cookies? Those. if the login and password are correct, then create cookies admin=1 , and check all the time, if admin == 1 , then show the panel, no - the authorization form. The question arose, will this implementation be safe? If yes, please tell me how to work with cookies in silex ? And if not, how else can it be done?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Mikhail, 2020-03-18
@YariKartoshe4ka

this is a big hole, you need to look in the direction of sessions, in cookies you can make a user id and, for example, some kind of hash that will constantly change with each authorization, and be stored in the database.
how it works:
during authorization, it is written to the cookie id and a hash is formed, which is written to both the cookie and the database; on a subsequent visit, the presence of a hash in the cookie is checked and compared with the hash in the database, if they match, then automatic authorization, if not, then displays the form. When exiting, you can clean the hash in the database, this will be enough. If you associate with the session, you can do it more securely and come up with a more complex structure.

V

vitaly_74, 2020-03-18
@vitaly_74

Hello, please leave it as it is. let's say I'm a normal user - I'll go into chrome settings, and create cookies with admin=1, and then, it turns out I'm an admin too. that's why the comrade above wrote that this is a security hole.
What he offered is indeed a solution. You're a good man for taking an interest in this. What he suggested will puzzle you for at least a week.
and so what he suggested is a good option, but you have nothing worse.