What would be the best way to protect an admin section/area of a website?

Question

So I've searched the web and even on here, and it gave me this post but it didn't really give me the answer I wanted.

I would like to have a standard directory on my server called, /admin/ e.g. www.mysite.com/admin. Which would store website stats etc and other "secret" information about the site.

But what are the best practises for securing that folder? Of course I could just code a standard login with browser SESSIONS but that would be too easy to bypass - risking SESSION hijacking.

I read about .htaccess protecting a directory? Could anybody give me more information on that?

Any tips from personal experiences would be appreciated also.

Thanks, Frank.

Answer 1

Well, like you said, you can always use an htaccess and an htpasswd for basic auth (easy & fast to configure), or you could always setup a classic login username/password using something like php/mysql.

EDIT

Here is some good info about htaccess/htpasswd http://httpd.apache.org/docs/2.0/howto/auth.html

Answer 2

Your best sure-fire way of protecting a directory like that is to buy an SSL certificate and require access to the area through a secure connection. In this case, session hijacking would be extremely, extremely, extremely hard because only a few users (and thus a few sessions) would even have access to the admin panel and the session ID would be encrypted via the secure connection and not publicly visible. Another tip is to create separate session IDs for a user's access to the main website (which is not secured) and that same user's access to the admin panel (which is secured).

There is another topic on Stack overflow that discusses the advantages and disadvantages of sessions vs HTTP authentication that you might find useful in determining which one to use. I would personally stick with sessions because it provides more flexibility, whereas HTTP authentication gives you a standard dialog box that is completely non-customizable.