Welcome to WebmasterWorld Guest from

Forum Moderators: brotherhood of lan & mack

Message Too Old, No Replies

most secure method of password protect

how and what



7:25 pm on Mar 29, 2007 (gmt 0)

5+ Year Member

on my latest project one of the goals is to have a password protected page that allows the user to view his data and edit it. i know all about .htaccess but was wondering if there was a better way(read more secure). i know a small amount of php and am willing to learn just about anything so complexity is not a problem.

All help taken.

Oh yes am running apache on FC6 if it makes any difference and will have about 60 users in total.


7:58 pm on Mar 29, 2007 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

With htaccess basic authentication, the user name and password are sent with each request to the server. Anyone sniffing packets can pick up the credentials with any of those requests.

With php you can combine SSL and session management to:

  • only send the password once per session
  • store the password in encrypted (md5,sha1,etc) form
  • time out the session on inactivity so the user has to be revalidated
  • if you know your users have static IP addresses you can check each page request to make sure that it doesn't suddenly inexplicably change
  • log page modifications' time, ip, username, etc.
  • force periodic password changes
  • evaluate password strength and/or enforce strong password rules

Using php or some other scripting language opens up the possiblities tremendously, and you can tighten up security by a significant degree.


8:28 pm on Mar 29, 2007 (gmt 0)

5+ Year Member

thanks cameraman,
i did somehow suspect that .htaccess wasn't all that great beyond basic uses

with regards to session management where is a good place to read up on it, or what should i be searching for?


8:59 pm on Mar 29, 2007 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

I think I'd start here:
[us2.php.net ]

Then there's copious real-world examples in the php scripting forum & its library.

Also absorb all you can on security: good practices for validating user input, preventing cross-site and sql injection attacks. I learned a lot from this:
[phpsec.org ]
Some of it's a bit hard to follow - your eyes start to glaze over - but if you go back and read it again after chewing on it awhile, it makes more and more sense. Since your first objective with sessions is security, you might actually want to first skim through that article quickly, ignore what you don't understand right off the bat, then go read the session stuff at php.net.


6:18 am on Apr 1, 2007 (gmt 0)

10+ Year Member

You can also go to pear.php.net and install one of the Authentication or Encryption packages. They are easy to use and offer encryption of packet information from your PHP data.

Featured Threads

Hot Threads This Week

Hot Threads This Month