网站管理部分-安全性?
[英]Admin section for website - security?
问题描述
Designing a user content website and the question is for the admin section, from a security point of view, where should it be placed? 
从安全的角度来看,设计一个用户内容网站,问题是管理员部分,应该放在哪里?
- same domain and allow admin to enter site like other users from signin form using admin email 同一域,并允许管理员使用管理员电子邮件从登录表单中像其他用户一样进入网站
- Have a separate sub-domain only for admin login 有一个单独的子域,仅用于管理员登录
- Have a separate secret domain used to access admin features 具有用于访问管理功能的单独的秘密域
- or any other suggestions? 或其他建议?
goal is prevent anyone from knowing about the admin section and to keep it locked as much as possible. 目标是防止任何人了解admin部分,并使其尽可能保持锁定状态。
Thanks 谢谢
2 个解决方案
解决方案1
1 2010-08-03 20:09:59
Actually I work on a system that uses a separate subdomain, and there's a whole another ASP.NET project dedicated for the Admin section of the parent domain. 实际上,我在一个使用单独的子域的系统上工作,并且还有一个专门用于父域的Admin部分的整个ASP.NET项目。
This has many advantages for us. 这对我们有很多好处。 Some of them are: 他们之中有一些是:
- Completly different authentication mechanism for one site and the other. 一个站点和另一个站点的完全不同的身份验证机制。
- We can deploy the website without shutting down the admin site and viceversa. 我们可以在不关闭管理站点的情况下部署网站,反之亦然。
解决方案2
0 2010-08-03 20:09:02
Well, as a basic rule, I'd say it doesn't really matter. 好吧,作为一个基本规则,我会说这并不重要。 Your login form needs to be secure, whether it's exposed or not. 您的登录表单必须安全,无论是否公开。
However, I understand the desire to keep the admin area hidden in any case. 但是,我了解在任何情况下都希望隐藏管理区域的愿望。 I personally like this variant the best: 我个人最喜欢此变体:
same domain and allow admin to enter site like other users from signin form using admin email
because it doesn't leave any traces on the client computer that are easily detectable (like "admin.example.com" or "example.com/super-secret-admin-area"). 因为它不会在客户端计算机上留下任何易于检测的痕迹(例如“ admin.example.com”或“ example.com/super-secret-admin-area”)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.