2.3 KiB
PHP Session Auth Layer — Admin Panel
Addresses: TODO item #2 (No PHP-level authentication in admin panel — 🔴 CRITICAL)
Overview
The admin panel uses a single PHP session-based authentication layer. Authentication is password-only (no username required).
| Layer | Mechanism | Configured by |
|---|---|---|
| PHP | Session guard (src/AdminAuth.php) |
site_settings.admin_password_hash in DB |
The user sees an HTML login form at /admin/login.php that asks only for a
password. On successful login, a PHP session is created and all admin pages
use AdminAuth::requireLogin() to enforce the guard.
Authentication flow
Browser → /admin/login.php (HTML password-only form)
│
▼
POST password → AdminAuth::login()
├─ password_verify(password, stored_hash)
│ ├─ ✓ → create session → redirect to /admin/
│ └─ ✗ → show error, stay on login form
└─
If no password hash is stored in the DB (dev / cli-server), AdminAuth
is a no-op — all admin pages are open.
PHP auth setup (production)
-
Generate a bcrypt hash for the admin password:
php -r "echo password_hash('your-secret-password', PASSWORD_DEFAULT);" -
Store it in the DB via the admin panel at
/admin/parametres(Account tab) or by inserting directly:INSERT INTO site_settings (key, value) VALUES ('admin_password_hash', '$2y$12$...') ON CONFLICT(key) DO UPDATE SET value = excluded.value;
Session cookie hardening (TODO item #8)
AdminAuth::startSession() calls session_set_cookie_params() before
session_start(), applying:
| Attribute | Value |
|---|---|
HttpOnly |
true |
SameSite |
Strict |
Secure |
true (disabled on cli-server for dev) |
Path |
/admin |
Lifetime |
0 (session cookie, expires on browser close) |
Logout
A Déconnexion button is shown in the admin nav when a password hash is
configured. It hits /admin/logout.php which destroys the PHP session.
Files
| File | Purpose |
|---|---|
src/AdminAuth.php |
Auth guard class |
public/admin/login.php |
Login form (password-only) |
public/admin/logout.php |
Logout handler |