I have never tried to build a web site to restrict users. Before, I always
wanted everyone to be able to get to everything that I put on one of my
sites. So now I am trying to write (actually just to learn to write) a
site with a passworded front door. That is to say, you don't get in
without the password. Not a thermonuclear secure site proof against
crackers, the CIA and so forth - just a site with authorization needed.
Kind of like they do at online newspapers.
Right now it is the concept that I am needing. I spent the day in the
bookstore trying to find a book on the subject but no dice. All web
building books just concern themselves with fancy HTML concepts and PHP
books just on using the language. Apache books have quite a few chapters
on security, but only from the standpoint of preventing deep cracking, open
proxies, etc. Could find none that were concerned with how to actually
build one. Ok, so back to figuring it out.
One way that worked is to check (after the login in screen) the
PHP_AUTH_USER and PHP_AUTH_PW at the start of every module that I call.
Works ok, but seems to be a kludge.
The method that I am trying now is to put everything past the login module
into a subdir, put authorized users into a Linux group, and give access to
that group. But so far the examples of passing the user and password from
PHP to the Linux server aren't working. Or rather to say that I haven't
made it work yet. Well, actually I can do it with Perl easily, but that
isn't the point and I will never learn PHP if I go back and use what I
already know.
More reading to do. Fortunately, just before I clicked the print button I
realised the the official PHP manual is 3300 and so pages!!! So much for
taking the manual to the hammock for some comfortable reading. :-)
Insights anyone?
Thanks
Phil
8  1436 
"Phil Coen" <no****@nowhere.com> wrote in message
news:e5********************@giganews.com... I have never tried to build a web site to restrict users. Before, I always
wanted everyone to be able to get to everything that I put on one of my
sites. So now I am trying to write (actually just to learn to write) a
site with a passworded front door. That is to say, you don't get in
without the password. Not a thermonuclear secure site proof against
crackers, the CIA and so forth - just a site with authorization needed.
Kind of like they do at online newspapers.
So, you just want people to have to login before they reach the content of
your site? No need for encryption (SSL)?
Right now it is the concept that I am needing. I spent the day in the
bookstore trying to find a book on the subject but no dice. All web
building books just concern themselves with fancy HTML concepts and PHP
books just on using the language. Apache books have quite a few chapters
on security, but only from the standpoint of preventing deep cracking,
open
proxies, etc. Could find none that were concerned with how to actually
build one. Ok, so back to figuring it out.
One way that worked is to check (after the login in screen) the
PHP_AUTH_USER and PHP_AUTH_PW at the start of every module that I call.
Works ok, but seems to be a kludge.
The method that I am trying now is to put everything past the login module
into a subdir, put authorized users into a Linux group, and give access to
that group. But so far the examples of passing the user and password from
PHP to the Linux server aren't working. Or rather to say that I haven't
made it work yet. Well, actually I can do it with Perl easily, but that
isn't the point and I will never learn PHP if I go back and use what I
already know.
Generally, my approach is this:
1. Present a (secure) form, asking for a user/pass pair
2. Check this user/pass pair against a list of user/pass pairs. I usually
store them in a database, but a flat file will work too.
3. If a match is found, start a session for the user with an 'Authenticated'
flag.
4. Each page they subsequently access looks for this 'Authenticated' flag in
the session. If it exists every thing is OK, and you can deliver them the
content... but if it doesn't exist, redirect the user the the login form
(step 1), and pass the URI they tried to access to the login page. If they
login successfully, redirect them to the page they initially requested.
Insights anyone?
Hope that helps.
Thanks
Phil
"Phil Coen" <no****@nowhere.com> wrote in message
news:e5********************@giganews.com... The method that I am trying now is to put everything past the login
module into a subdir, put authorized users into a Linux group, and give
access to
that group. But so far the examples of passing the user and password
from
PHP to the Linux server aren't working.
hrm. "passing the user and password from PHP to the Linux server"
Can you elucidate wht you mean by this ? My guess would be that you are
trying to authenticate the user using the standard authentication systems
on a Linux server. However 'standard' is a very badly defined target. Most
Linux (most Unix) daemons use PAM for authentication, and can support users
stored in LDAP, local files, databases, NIS maps....
IIRC there was a PAM PECL in development but I've lost track of it and ended
up writing my own C wrapper program (which also solves the setuid problem).
But for many pruposes it may be simpler to use the POP/IMAP functions to
verify the credentials.
What exactly is the problem? How are you trying to 'authenticate'?
Aidan wrote: 1. Present a (secure) form, asking for a user/pass pair
2. Check this user/pass pair against a list of user/pass pairs. I usually
store them in a database, but a flat file will work too.
3. If a match is found, start a session for the user with an
'Authenticated' flag.
4. Each page they subsequently access looks for this 'Authenticated' flag
in
the session. If it exists every thing is OK, and you can deliver them the
content... but if it doesn't exist, redirect the user the the login form
(step 1), and pass the URI they tried to access to the login page. If
they login successfully, redirect them to the page they initially
requested.
So Aidan's doing it all in PHP. The problem with this approach is that
1) storing passwords - or password equivalents - unhashed is not generally
considered good security practice.
2) you don't get the benefit of all the tools available for account
management which can be applied to an NSS/PAM based system
having said that, it can be an advantage to maintain a stretch of 'clear
blue water' between the users whom access the website, and the conventional
users.
C.
>I have never tried to build a web site to restrict users. Before, I always wanted everyone to be able to get to everything that I put on one of my
sites. So now I am trying to write (actually just to learn to write) a
site with a passworded front door. That is to say, you don't get in
without the password. Not a thermonuclear secure site proof against
crackers, the CIA and so forth - just a site with authorization needed.
Kind of like they do at online newspapers.
Consider the possibility of using Apache basic authentication,
activated in .htaccess files. Simple, secure, and it's pretty much
done for you except turning it on and any issues of maintaining the
user list. No PHP code at all required (although the PHP code can
look at who you're logged in as and do something with it, like look
up access privileges associated with that account). I believe there
are some modules for Apache which allow authentication from a MySQL
database, which makes adding users easier.
Gordon L. Burditt
Gordon Burditt <go***********@burditt.org> wrote: Consider the possibility of using Apache basic authentication,
activated in .htaccess files. Simple, secure, and it's pretty much
done for you except turning it on and any issues of maintaining the
user list.
It's sure simple to setup, but secure?
>> Consider the possibility of using Apache basic authentication, activated in .htaccess files. Simple, secure, and it's pretty much
done for you except turning it on and any issues of maintaining the
user list.
It's sure simple to setup, but secure?
Compared to anything a beginner will cook up using PHP, it's secure.
Especially if it also uses SSL. The original poster wanted something
basic and not necessarily good against the CIA. Network sniffing
attacks are not much of an issue here. Now, if this was protecting
credit card numbers, the advice would be MUCH different.
Gordon L. Burditt
Gordon,
I would be interested in your advice for protecting credit card
numbers.
My plan was to use mcrypt and store in mySql database. I thought I
might use another field in the database as the key.
I will erase number as soon as the card is authorized.
Thank you for your help.
AND thanks to all those who answer the many questions posted to this
group. I have learned much from you.
Pat
>I would be interested in your advice for protecting credit card numbers.
My plan was to use mcrypt and store in mySql database. I thought I
might use another field in the database as the key.
Well, consider what your biggest threats are here.
If you are trying to protect against the admin of your hosted
web and/or database site, you can pretty well forget it. Although
encrypting the credit card numbers does make it a bit harder
than just a SQL query for all of them.
If your idea here is that nobody will guess which field you are
using as the key, think again. Even if you have 200 fields in the
table, it won't take that long to figure out which one is the key.
Also, you have to worry about the field used as the key changing
(people get married and change their names, addresses and phone
numbers change, etc.) Some fields don't have enough variety to be
used as a key (Let's see, one field can have Mr., Mrs., Miss, Dr.,
Queen, Pope, etc. as values but really the first three are the only
ones that will be used much.) You could use it as *part* of a key.
If you are trying to protect against accidental disclosure of a
dump of your database (or making it downloadable from the site, or
having a virus send it somewhere), it would be best if the key (or
at least an essential part of it) and the encrypted credit number
are kept separated, so whoever gets one probably doesn't get the
other. This, I would think, would mean at least separate tables,
or one table and one config file used by your scripts.
I will erase number as soon as the card is authorized.
Careful, here. How long do you actually need to keep that number
around? Consider the scenario (which is not at all uncommon for
my employer, an ISP): New user signs up for 1 year via web form.
Initial online check of the card says it's OK. The charge goes
through. Forget for the moment that an ISP normally keeps credit
card numbers around for automatic renewals, and pretend it's sort
of like a pre-paid pay-by-the-spam spamming card for an ISP, pay
once with no automatic renewals (unfortunately I think the main use
of this would be by spammers).
Two months later the credit card company reverses the charge because
the REAL cardholder spotted the charge on their statement and
objected that they don't want a dialup account for a Texas ISP
because they live in Iraq, they never ordered it, and their identity
has been stolen. (Two months is not particularly long for this
sort of thing: it can take 5-6 weeks from the charge to the
cardholder receiving the statement, and a couple of weeks before
they read and pay it, and maybe a couple of weeks for the credit
card company to investigate it.) You get this report. Now, *WHICH
ACCOUNT DO YOU SHUT OFF*? Have you still got info needed to determine
that? Can you figure out which other accounts used the same account
number that haven't been reported yet? And do you have enough info
to report the crime, so if the guy gets caught, you have enough
evidence to recover something?
Now, if you do keep the info around, perhaps these older archives
are more safely kept on a private system not usually connected to
the Internet (e.g. dialed up once a week to archive the old records),
perhaps burned on CD-ROM and normally kept in a safe in your home
(and still encrypted).
Gordon L. Burditt
Gordon,
Thanks for your thoughts. You have definitely given me some good tips
for implementing this system.
This is for a small charity and I am doing this as a volunteer.
I have many years as a mainframe developer but am fairly new to php and
web development -- so this is definitely a learning experience <grin>.
Thanks again,
Pat
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Beatrice Rutger |
last post by:
Hi,
I am a previous Micro$oft desertee (moved from VB/VC++ to Java before
this whole DOTNET thing) because I had several issues with Micro$oft. I
am not completely in love with Windoze, but I...
|
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data...
|
by: David Ingram |
last post by:
Greetings all!
I am aiming to set up simple permissions for users on a database here
at work, to the effect that certain users should be restricted from
opening certain forms and reports. I...
|
by: Craig Buchanan |
last post by:
I am using flag as the identifier for various security settings. For
instance:
Public Enum SecurityEnum
Read=0
Write=1
Delete=2
...
End Enum
|
by: Lars Netzel |
last post by:
How do I automatically generate a YES click on popups?
I tried this..
http://www.realpopup.it/realaccount/MatroExpungeIMAP.txt
But that gave me Uknow erros and I honestly do not understand...
|
by: Jeff |
last post by:
I know this is a difficult one to answer, but I am interested in opinions on
what hardware upgrades would be recommended with the following.
Access 2000 running in a split config, but all in...
|
by: Dean Craig |
last post by:
I'm getting ready to build my first ASP.NET/SQL Server website that will be
hosted on some web host out there (long distance, different network). The
work I've done in the past (pre-.NET) was all...
|
by: pippapippa |
last post by:
I should be most grateful for a little advice.
I have used Access 2000 & latterly 2002. Am about to upgrade since it is evident that documentation, tutorials etc are more readily available in...
|
by: tempest |
last post by:
Hi all.
This is a rather long posting but I have some questions concerning the
usage of character entities in XML documents and PCI security
compliance.
The company I work for is using a...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
