Welcome to WebmasterWorld Guest from 54.158.25.146

This page requires javascript to function properly. It seems that your browser does not have Javascript enabled. Please enable Javascript and press the Reload/Refresh button on your browser.

Forum Moderators: mack

Message Too Old, No Replies

most secure method of password protect

how and what

the_hussar

7:25 pm on Mar 29, 2007 (gmt 0)

New User

joined:Mar 28, 2007
posts:8
votes: 0

on my latest project one of the goals is to have a password protected page that allows the user to view his data and edit it. i know all about .htaccess but was wondering if there was a better way(read more secure). i know a small amount of php and am willing to learn just about anything so complexity is not a problem.

All help taken.

Oh yes am running apache on FC6 if it makes any difference and will have about 60 users in total.

cameraman

7:58 pm on Mar 29, 2007 (gmt 0)

Senior Member

joined:Jan 16, 2007
posts:914
votes: 0

With htaccess basic authentication, the user name and password are sent with each request to the server. Anyone sniffing packets can pick up the credentials with any of those requests.

With php you can combine SSL and session management to:

only send the password once per session
store the password in encrypted (md5,sha1,etc) form
time out the session on inactivity so the user has to be revalidated
if you know your users have static IP addresses you can check each page request to make sure that it doesn't suddenly inexplicably change
log page modifications' time, ip, username, etc.
force periodic password changes
evaluate password strength and/or enforce strong password rules

Using php or some other scripting language opens up the possiblities tremendously, and you can tighten up security by a significant degree.

the_hussar

8:28 pm on Mar 29, 2007 (gmt 0)

New User

joined:Mar 28, 2007
posts:8
votes: 0

thanks cameraman,
i did somehow suspect that .htaccess wasn't all that great beyond basic uses

with regards to session management where is a good place to read up on it, or what should i be searching for?

cameraman

8:59 pm on Mar 29, 2007 (gmt 0)

Senior Member

joined:Jan 16, 2007
posts:914
votes: 0

I think I'd start here:
[us2.php.net ]

Then there's copious real-world examples in the php scripting forum & its library.

Also absorb all you can on security: good practices for validating user input, preventing cross-site and sql injection attacks. I learned a lot from this:
[phpsec.org ]
Some of it's a bit hard to follow - your eyes start to glaze over - but if you go back and read it again after chewing on it awhile, it makes more and more sense. Since your first objective with sessions is security, you might actually want to first skim through that article quickly, ignore what you don't understand right off the bat, then go read the session stuff at php.net.

brucec

6:18 am on Apr 1, 2007 (gmt 0)

Full Member

joined:Jan 23, 2004
posts:338
votes: 0

You can also go to pear.php.net and install one of the Authentication or Encryption packages. They are easy to use and offer encryption of packet information from your PHP data.