Login page for admin - Githubissues

brettrijnders / pbsviewer

This program ‘PBSViewer’ also known as Punkbuster (pb) Screenshot Viewer will download punkbuster screens from your gameserver to your webserver.

http://www.brettrijnders.nl/work/php/pb-screenshot-viewer/

4 stars 1 forks source link

Login page for admin #19

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Instead of using IP address of admin, a login will be required. IP address 
won't be used anymore, because of security risks. Someone could spoof IP 
address of admin to gain access and create some damage.

Original issue reported on code.google.com by brettrijnders on 7 Aug 2010 at 9:29

GoogleCodeExporter commented 9 years ago

Started with implementing login page for admins. It's not finished
yet, here is a list what needs to be done:
- Add feature to modify admin login details in ACP.php.
- The installer.php needs to be modified, username and password should be chosen
by user.
- Request a reset in case admin forgot his/her password.

Original comment by brettrijnders on 8 Aug 2010 at 7:50

GoogleCodeExporter commented 9 years ago

Trying to include IP address in session to improve security

Original comment by brettrijnders on 8 Aug 2010 at 7:51

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

IP address is now included in session. This should slightly improve security, 
however according to http://phpsec.org/projects/guide/4.html there are some 
security issues involved. See this note:

Note
It is unwise to rely on anything at the TCP/IP level, such as IP address, 
because these are lower level protocols that are not intended to accommodate 
activities taking place at the HTTP level. A single user can potentially have a 
different IP address for each request, and multiple users can potentially have 
the same IP address.

Original comment by brettrijnders on 8 Aug 2010 at 8:13

GoogleCodeExporter commented 9 years ago

user agent is now also included in session to improve security. Next to this 
the ADMIN_ID that is used for session has an md5 hash.

Original comment by brettrijnders on 8 Aug 2010 at 9:56

GoogleCodeExporter commented 9 years ago

added new functionality to ACP: user is now able to change login details in ACP

Original comment by brettrijnders on 8 Aug 2010 at 1:44

GoogleCodeExporter commented 9 years ago

Added a new feature: User can now request a password reset if needed.

Original comment by brettrijnders on 8 Aug 2010 at 8:36

GoogleCodeExporter commented 9 years ago

Login functionality seems to work fine. Though some further testing is needed, 
just to be sure...

Original comment by brettrijnders on 9 Aug 2010 at 10:36

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Original comment by brettrijnders on 15 Aug 2010 at 12:12

Changed state: Verified