Login for admin and ordinary user

Question

Should I have one login form for ordinary user and admin Or should I have separate login form for admin and ordinary user?

Answer 1

It is OK to have the same form.

The purpose of the login page is authentication-- determine who the user is, not what they can do (see What is the difference between authentication and authorization?). So for example you might want them to submit a password or other token to reduce the risk that they are not the person they say they are. That can be the same process for everyone.

Certain features in your site may be available only to administrators or end users, but checking for permissions (authorization) can only be done after you're sure who the user is (they have authenticated). And logic to check for permissions should be present on every single page. So it has little bearing on what the authentication process is like.

Answer 2

You should just use one form for both admins and ordinary users if the log in information required is the same. Having two forms only makes the application more complicated to write. Having one or two login forms would be equally safe. Just remember to implement the correct security measures on the server side so a user does not get admin privileges.

The first step in authentication would be to check if the username exists, then check if the entered password matches the user's password in the database (passwords should be hashed). Then you can do authorization to check if the user is an admin.

Answer 3

While this seems to be asked in the form of an opinion, it makes more sense to answer this based on what most websites (or applications) do.

It really depends on the context. As a general rule, the same login form would be used for regular users and admin users. Generally, a parameter specifying whether the user is an admin would be stored in a database table for the users. The authentication method(s) that are executed upon clicking the login button will verify the user exists, check the password against the hash, then check the database table to see if the user is an administrator.

In some certain circumstances, I have seen a separate login page for administrators, but it is rare. One example might be a webstore that has an administration/management dashboard which is separate from the main site. Generally, though, these will work via the same form.