basic authentication: user vs admin

Report · Feb 05, 2007

I'm trying to split my authentication into users and admin section. I've read some interakt tutorials and php for dreamweaver 8 (Powers), which explain how to give different levels to a user and admin and I'm still confused.

Looking at the signup form in Powers, what prevents a user from signing up as an admin? Are those in the admin section entered into the db directly and given admin level? It seems the only way to keep the user and admin secure; or is there another way?

I think that I don't understand how I can assign a specific level to a specific person at signup and, more importantly, keep the users out of the admin section.

Thanks for helping me sort this out.

Report · Feb 05, 2007

On Mon, 5 Feb 2007 20:55:38 +0000 (UTC), "hconnorjr"
<webforumsuser@macromedia.com> wrote:

>I'm trying to split my authentication into users and admin section. I've read
>some interakt tutorials and php for dreamweaver 8 (Powers), which explain how
>to give different levels to a user and admin and I'm still confused.
>
> Looking at the signup form in Powers, what prevents a user from signing up as
>an admin? Are those in the admin section entered into the db directly and given
>admin level? It seems the only way to keep the user and admin secure; or is
>there another way?
>
> I think that I don't understand how I can assign a specific level to a
>specific person at signup and, more importantly, keep the users out of the
>admin section.
>
> Thanks for helping me sort this out.

Don't give them the option to choose their level. On the page that
processes the form, set the level in the server-side code.

Use a different for(probably in a different directory with different
protection) to add/edit/delete administrators.

Win
--
Win Day, Wild Rose Websites
http://www.wildrosewebsites.com
winday@NOSPAMwildrosewebsites.com
Skype winifredday

Report · Feb 05, 2007

thanks for the reply,

so, the signup page for the general user is in the site root directory, say as signup.php and is restricted by server-side code to a user level (not admin).

i can set up a separate folder for admin. but then i will need a page outside that directory to get into that folder. what prevents a routine user from typing in different URLS until he discovers that page and then signs himself up as an admin? Or, do you start admin signup outside the admin folder, then, when you have one or more username and id's, move the signup folder inside the admin folder (or similiarly, do the admin signup at the level of phpmyadmin, directly into the db). The login page can then be the same page as the regular user. Or for added security, it could even be a different page . . . What do you think?

Mike

Report · Feb 05, 2007

On Tue, 6 Feb 2007 02:36:30 +0000 (UTC), "hconnorjr"
<webforumsuser@macromedia.com> wrote:

>thanks for the reply,
>
> so, the signup page for the general user is in the site root directory, say as
>signup.php and is restricted by server-side code to a user level (not admin).
>
> i can set up a separate folder for admin. but then i will need a page outside
>that directory to get into that folder. what prevents a routine user from
>typing in different URLS until he discovers that page and then signs himself up
>as an admin? Or, do you start admin signup outside the admin folder, then, when
>you have one or more username and id's, move the signup folder inside the admin
>folder (or similiarly, do the admin signup at the level of phpmyadmin, directly
>into the db). The login page can then be the same page as the regular user. Or
>for added security, it could even be a different page . . . What do you think?
>
> Mike

It's late at night here, and you lost me somewhere in that paragraph.

You only need one login form. The script that processes the form
compares the username (probably an email address, right?) to the
database. That form exists in one or more UNPROTECTED pages.

If there is a match (the user exists in the database), and the user is
classed as an admin, they are sent to a certain page in another
folder. Everything in that folder can only be accessed if you log in
as an admin.

If there is a match but the user is classed as a member, they are sent
to a different page in a different folder. Everything in that folder
can be accessed by a member or an admin.

And yes, in this scenario you need at least one admin user in the
database to start adding other admins and members.

I've got a site revamp under construction that does exactly that. I'm
not willing to put the log in information out to the general public,
but if you email me directly I'll show you the site.

I'm using the MX Kollection by InterAKT (www.interaktonline.com) to
build it, but you don't have to.

Win
--
Win Day, Wild Rose Websites
http://www.wildrosewebsites.com
winday@NOSPAMwildrosewebsites.com
Skype winifredday

Report · Feb 24, 2007

so, let me see if i understand it . . . let's build it:
-- signup page for admin in a protected directory . . . user level defined as admin
-- signup page for users in an open directory . . . user level defined as user
-- login page in public directory with different redirects depending on user level.
sounds like there is a way to combine the signup pages, but i don't understand how. please correct me if i've got it wrong. thanks for the responses.

mike