Designing a user content website and the question is for the admin section, from a security point of view, where should it be placed?
- same domain and allow admin to enter site like other users from signin form using admin email
- Have a separate sub-domain only for admin login
- Have a separate secret domain used to access admin features
- or any other suggestions?
goal is prevent anyone from knowing about the admin section and to keep it locked as much as possible.
Thanks
Actually I work on a system that uses a separate subdomain, and there's a whole another ASP.NET project dedicated for the Admin section of the parent domain.
This has many advantages for us. Some of them are:
- Completly different authentication mechanism for one site and the other.
- We can deploy the website without shutting down the admin site and viceversa.
Well, as a basic rule, I'd say it doesn't really matter. Your login form needs to be secure, whether it's exposed or not.
However, I understand the desire to keep the admin area hidden in any case. I personally like this variant the best:
same domain and allow admin to enter site like other users from signin form using admin email
because it doesn't leave any traces on the client computer that are easily detectable (like "admin.example.com" or "example.com/super-secret-admin-area").