tags:

views:

42

answers:

1

Really quick here... I think I have the answer, but just looking for some validation.

I have a site with two "points of entry." One is for a standard user and one is for an admin account. In the real world, an admin could have a standard user account and try to login as an admin while already being under the standard user session.

I have two separate front ends to facilitate login. The normal user one is frilly and has ads and the like, the admin one is strictly business, so any suggestion to have the two user types login through the same "door" is not on the table.

Would you advise on the admin login page to destroy any active sessions? Once the admin is in, they'll only be tooling around in their admin area and not on the main site.

Has anyone run into probs using this method and having an admin-type user try to log back in in a new window as a "user" to view changes from a logged in user's prespective?

Thanks in advance. So many cans of worms :)

+1  A: 

Cans of worms yes. Having your admin sessions kill-off user sessions, also yes.

Personally, given what you described I'd keep both sets of sessions isolated from the other. Should allow you to include things in the sessions that helps reinforce the idea of users can't reach admin pages.

That said, you should not NEED to kill off the session. It should be possible to upgrade the existing session. I'd keep them separate because it would help me keep the two areas clear in my mind (which would help me avoid security errors).

acrosman
Acrosman. Thanks. First off, thanks for being able to negotiate my line of questioning. I am in a hurried rush to finish something and the way I phrased the original question was convoluted.Anyhow, I do get your logic and it seems practical. At this moment though, I am looking for a quick and dirty, all-or-nothing approach that, as you mentioned, wards off any naughty users from thinking they could or should be able to get admin access.Thanks again
rob - not a robber
this was a quickie and more of a confidence builder than a question. thanks for the guidance.
rob - not a robber