After performing some registrations and logins using the system, I discovered that the only basis on which the page determines if a user is logged in is using the cookie "loginAuth". The cookie isn't signed so it's quite easy to forge a fake cookie by substituting my own user for the user "Stephen". Doing this through cURL produces: student@xenial64s:~$ curl -k https://192.168.16.1/private/admin.php -H "Cookie: PHPSESSID=a; loginAuth=Stephen2017-10-30T17%3A39%3A23Z" Admin

Welcome back, Stephen!

You have 5 new messages.