homepage Welcome to WebmasterWorld Guest from 107.22.70.215
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
most secure method of password protect
how and what
the_hussar




msg:3296674
 7:25 pm on Mar 29, 2007 (gmt 0)

on my latest project one of the goals is to have a password protected page that allows the user to view his data and edit it. i know all about .htaccess but was wondering if there was a better way(read more secure). i know a small amount of php and am willing to learn just about anything so complexity is not a problem.

All help taken.

Oh yes am running apache on FC6 if it makes any difference and will have about 60 users in total.

 

cameraman




msg:3296704
 7:58 pm on Mar 29, 2007 (gmt 0)

With htaccess basic authentication, the user name and password are sent with each request to the server. Anyone sniffing packets can pick up the credentials with any of those requests.

With php you can combine SSL and session management to:

  • only send the password once per session
  • store the password in encrypted (md5,sha1,etc) form
  • time out the session on inactivity so the user has to be revalidated
  • if you know your users have static IP addresses you can check each page request to make sure that it doesn't suddenly inexplicably change
  • log page modifications' time, ip, username, etc.
  • force periodic password changes
  • evaluate password strength and/or enforce strong password rules

Using php or some other scripting language opens up the possiblities tremendously, and you can tighten up security by a significant degree.

the_hussar




msg:3296735
 8:28 pm on Mar 29, 2007 (gmt 0)

thanks cameraman,
i did somehow suspect that .htaccess wasn't all that great beyond basic uses

with regards to session management where is a good place to read up on it, or what should i be searching for?

cameraman




msg:3296769
 8:59 pm on Mar 29, 2007 (gmt 0)

I think I'd start here:
[us2.php.net ]

Then there's copious real-world examples in the php scripting forum & its library.

Also absorb all you can on security: good practices for validating user input, preventing cross-site and sql injection attacks. I learned a lot from this:
[phpsec.org ]
Some of it's a bit hard to follow - your eyes start to glaze over - but if you go back and read it again after chewing on it awhile, it makes more and more sense. Since your first objective with sessions is security, you might actually want to first skim through that article quickly, ignore what you don't understand right off the bat, then go read the session stuff at php.net.

brucec




msg:3298864
 6:18 am on Apr 1, 2007 (gmt 0)

You can also go to pear.php.net and install one of the Authentication or Encryption packages. They are easy to use and offer encryption of packet information from your PHP data.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved