>>
Site Map
>>
Forums
>>
Security Issues
Forum module - topics in forum:
Security Issues - Get help in securing your PHP-NUKE Installation.
Editting Admin Cookie Time
I read the post by boham and was interested in the subject. I never thought of someone actually using my own cookies to gain admin acess. I do from time to time use Ie but most often I use Firefox and opera.. I am just wondering if I should edit the admin cookie time set in file as +2592000.. what are the pros and cons to doing so and what issue could arise from changing the time. I thought since I use Nco Ultra its creator should answer this question for me.. Since you would have the most knowledge on your product.. Thanks in advance
As someone who has exploited more then her share of sites. (in a previous life) I can tell you this. Getting the admin cookie is not all that easy. First off the hacker would need to somehow access the cookies on your PC. Then there's decoding it, not an easy task. It isnt' in plain english where someone can just open it in a text file and read it and voila their in your site. It's just not that simple. When you exploit a site no one and I mean no one is going to bother looking for the admin cookie. First you gotta hack the owners PC then their site. Your askin to get caught.
Secondly and here is the big thing that makes the entire post moot. When you set up sentinel DON'T USE THE SAME USERNAME and PASSWORD for the htaccess as you do your admin account.
Just run sentinel, set it up properly and don't worry about fairy tales and if your really that worried about it, log out of the admin panel when your done in there.
Thank you sinful that eases my mind. I am a newbie still and I believe what I see. I do log out and I do run sentinel and look at what is taking place on my site. I just wish to be as safe as possible that is why I read the posts for suggestions. I had never really seen that topic before and thaoght that maybe I had missed something. I thank you for a well explained reply...
Here's the senario. I have a couple admins on a site I run. Some I should not allow being an admin but it's not my website and I just do what they say.
Say the admin goes to the public library and logs into the website as admin, does his thing and exits browser without logging off and leaves. Now another person sits down right after them and just hits the address drop down bar in IE and sees the address my admin visited and clicks it to check it out. Since he did not logout, the computer holds the cookie. The new guy is in administration. Yes sentinel will be there to save the day this time but I take no chances at all.
The same goes for the user cookie but there is no sentinel saving the day. This forum on the site is a total NON PUBLIC forum. Now the 2nd guy has everything to access the forums on the site.
