# PHP Session Auth Layer β€” Admin Panel > Addresses: **TODO item #2** (No PHP-level authentication in admin panel β€” πŸ”΄ CRITICAL) --- ## Overview The admin panel uses a single **PHP session-based authentication** layer. Authentication is password-only (no username required). | Layer | Mechanism | Configured by | |-------|-----------|---------------| | **PHP** | Session guard (`src/AdminAuth.php`) | `site_settings.admin_password_hash` in DB | The user sees an HTML login form at `/admin/login.php` that asks only for a password. On successful login, a PHP session is created and all admin pages use `AdminAuth::requireLogin()` to enforce the guard. ## Authentication flow ``` Browser β†’ /admin/login.php (HTML password-only form) β”‚ β–Ό POST password β†’ AdminAuth::login() β”œβ”€ password_verify(password, stored_hash) β”‚ β”œβ”€ βœ“ β†’ create session β†’ redirect to /admin/ β”‚ └─ βœ— β†’ show error, stay on login form └─ ``` If no password hash is stored in the DB (dev / cli-server), `AdminAuth` is a no-op β€” all admin pages are open. ## PHP auth setup (production) 1. Generate a bcrypt hash for the admin password: ```bash php -r "echo password_hash('your-secret-password', PASSWORD_DEFAULT);" ``` 2. Store it in the DB via the admin panel at `/admin/parametres` (Account tab) or by inserting directly: ```sql INSERT INTO site_settings (key, value) VALUES ('admin_password_hash', '$2y$12$...') ON CONFLICT(key) DO UPDATE SET value = excluded.value; ``` ## Session cookie hardening (TODO item #8) `AdminAuth::startSession()` calls `session_set_cookie_params()` before `session_start()`, applying: | Attribute | Value | |-----------|-------| | `HttpOnly` | `true` | | `SameSite` | `Strict` | | `Secure` | `true` (disabled on cli-server for dev) | | `Path` | `/admin` | | `Lifetime` | `0` (session cookie, expires on browser close) | ## Logout A **DΓ©connexion** button is shown in the admin nav when a password hash is configured. It hits `/admin/logout.php` which destroys the PHP session. ## Files | File | Purpose | |------|---------| | `src/AdminAuth.php` | Auth guard class | | `public/admin/login.php` | Login form (password-only) | | `public/admin/logout.php` | Logout handler |