Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial

Mamal Khan
14,206 Pointsa Safe Admin Area
I have problem with making Admin Area a safe place...
- best Password Protection method?
- saving password
- make links in admin folder unreachable
- ...
I'll be happy to be helped ;)
19 Answers

Nathan F.
30,773 PointsAre you talking about an admin area in Wordpress, or are you making your own admin area?

Mamal Khan
14,206 Pointsmaking one for myself...
and FYI : I have the admin area... all I want is those protection things...

Randy Hoyt
Treehouse Guest TeacherWhat have you tried so far for passwords?

Mamal Khan
14,206 Pointsactually nothing!

Randy Hoyt
Treehouse Guest TeacherYou want to store the passwords encrypted using something like MD5 encrypted. (I think most people are using MD5 these days.) This will encrypt the passwords in a way that no one will be able to decrypt them, so they'll be safe even if someone steals a backup copy of your database.
When someone logs in, you encrypt what they enter using the same encryption and check if it matches what you have in the database. (You don't know their actual password, but you know what it looks like encrypted.)
When they successfully log in, you send a cookie back down to their browser. On subsequent requests, you look to see if the browser sends a valid cookie along with the request. I'd recommend using SSL with the login screen and with any pages that require a password. Be sure to set the cookie to a secure cookie so that no one could intercept the cookie in a request (over public Wi-Fi or something) and hack their account.
The code at the top of each protected page would look for the cookie and, if its present, display the page ... and if not, it would redirect to the login page.
Does that help?

Mamal Khan
14,206 Points
Randy Hoyt
Treehouse Guest TeacherI'm certainly no expert in cryptography! :~) Encrypting passwords definitely requires CPU and RAM, but I don't know enough to comment on which ones use too much.
I don't know a good tutorial on cookies in the context of authentication. A lot of people have requested this, so it's something I'm considering putting together myself.

Mamal Khan
14,206 Pointsok thanks
It's time to crack Wordpress :D

Ernest Grzybowski
Treehouse Project ReviewerI'm currently studying security at school, so there's just a couple of things I want to point out.
First, using a CMS like Wordpress or Drupal is awesome. You cannot beat the work of hundreds of security experts and programmers.
Second, all passwords in a database should be not stored plain text, but should not be encrypted, but rather hashed. So something like SHA or MD5 will work. I just want to make it clear that those are hashing algorithms and not encryption algorithms.
Lastly, when dealing with stuff on your server, be sure to use SFTP.

Randy Hoyt
Treehouse Guest TeacherThanks for clarifying my lazy use of the term "encrypting" instead of "hashing"! If something is encrypted, it can be decrypted. That's not what you want to do with passwords. You want to hash them, which means convert them into a format that cannot be un-hashed. You won't know the user's real password, just the hash. But when the user logs in, you can hash what they entered and see if the hashes are the same.
(Is that all stated clearly and correctly?)

Ernest Grzybowski
Treehouse Project ReviewerPerfect!

Mamal Khan
14,206 Pointsthank you both guys...
I just sign-up for Cryptography class at Coursera.org
+ I know 1 person vs a bunch of expert guys is not a good idea and it's better to work based on their works... but there are 2 reasons for my job... after making version 1.0.0, make it public and find some non-expert guys like myself and make it a tool for everybody who wants to make a gallery... who know? maybe 5 years from now it became like wordpress :D
and the second one is that since I was 10 years old, I had a notebook which I filled with my ideas around everything...
the notebook filled after two month and right know have around 25000 different ideas around everything... graphic, sites, technology, physics(what I'm learning at university) and the list goes on... there are billion dollar ideas in it and all i'm doing is adding stuff to it...
It's time to make them real!
;)
thanks for your help

Mamal Khan
14,206 Pointsbut I'm still like a confused chicken! :D
where to start... ?

Randy Hoyt
Treehouse Guest TeacherThis isn't an easy topic. :~)
If you really want to learn how to do all of this, it will be slow process with lots of learning. If you want to build a website with a couple of password-protected pages next week, you would be definitely be better off using something that already exists like WordPress or Drupal.

Mamal Khan
14,206 PointsI used this : http://www.php-login.net/

James Barnett
39,199 PointsJust to clarify Randy Hoyt's earlier statment.
You want to hash them, which means convert them into a format that cannot be un-hashed.
The technique of hashing is a generic programming technique in which there is a transformation of a string of characters into a usually shorter fixed-length value
Where passwords are concerned they are hashed we use algorithms that perform a specific kind of hashing known as a one-way function this makes very hard for someone to get the original password (know as the plain text) from the new hashed text (known as the cipher text).

Mamal Khan
14,206 Pointshttp://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/
it says for every user use a different "salt" ...

James Barnett
39,199 Points
Mamal Khan
14,206 Pointsnot anymore!