Simple implementation of admin / staff panel?

Question

Simple implementation of admin / staff panel?

A new project requires a simple panel (page) for the administrator and employees:

It is preferable not to use SSL or any digital material for ceritification, a simple login using http will be just fine.
It has basic authentication, which allows only an administrator to log in as an administrator, and any employee from the "personnel" group. Ideally, "credentials (username-hashedpassword pair)" will be stored in MySQL.
easy to configure if there is a package, or the strategy is easy to encode.
somewhere (a PHP session?) in some way (include a script at the beginning of each page to check a group of users before doing something?), it will detect any invalid user attempt to access the protected page and redirect him / her in the login form.
while still maintaining high quality in safety, something I worry about the most.

Honestly, I don't know much about Internet security and how modern CMS like WordPress / Joomla do it.

I have only one thing in my mind: I need to use a password hashing salt (SHA1?) To make sure that any hacker who gets a username and password pair over the network cannot use this to log in, And that is this customer wants to make sure.

But I'm really not sure where to start, any ideas?

+3

security php

Michael Mao 04 '10 5:01

3

SSL ,

+1

nduplessis 04 '10 5:06

This has already been talked about a lot about SO, here are some of the useful links:

0

Sarfraz May 04 '10 at 5:05

source share

rook · Accepted Answer · 2010-05-04T17:48:01+0000

HTTPS . , , (sniffing xss), /. The OWASP Top 10 2010 A3 . , .

md4, md5 sh0 sha1 - , . sha-2 - , sha256 .

- /. , . SQL-, - , , -. , .

superglobal $_SESSION session_start(), , . PHP , .

session_start();
if(!$_SESSION['logged_in']){
   die("Authentication required!");
}

, CSRF. CSRF, , . XSS, xss , xss XHR document.cookie. SQL Injection , wapiti .

Simple implementation of admin / staff panel?

More articles: