Security question.......

Anon

Hello, I am fairly new to this jive and have reached the point of wanting to set up a log in to my updating/deleting/editing page for my client. Can anyone give me some advice here please, what level of encryption should i use and is it safe to have the form for the username and password on the same page as the edit/update/delete forms?....what should I be weary of here? Thanks heaps....

bretticus

updating/deleting/editing what in particular? I would always have a login form before letting anyone get restricted information or access.

If they're messing with sensitive information, you may wanna get a secure certificate for you domain ($100 bucks at Thawte - Requires your business articles of incorporation) and then enable SSL to begin with.

Typically the way it's done is you store the usernames and passwords in a database such as MySQL, for example (preferibly on another server if you're concerned with security). On your login form:

send SQL query such as "SELECT * FROM users WHERE username = $username AND password = $password"

If that returns a record, set a session variable to true (or some value). Then have an include file as the first line on each of your pages that checks that session variable. If the variable is not set, redirect with header(); to the login page.

That's the basics I guess ;-)

bretticus

Whoops, if you're using Apache and you wanna make this really easy, just use a .htaccess file in the directory you want to password protect:

AuthUserFile /home/you/www/priv_dir/.htpasswd
AuthName "Private"
AuthType Basic

require valid-user

Then use:

htpasswd -c /home/you/www/priv_dir/.htpasswd username

To set up a username and password for that directory.

use htpasswd without -c to add more users

For this to work, make sure in access.conf within the <Directory /home/you/www/>

#AllowOverride None

is commented out like this, and

AllowOverride AuthConfig

is uncommented

You will need to restart Apache if you change access.conf

Wow, I have writers cramp ;-)

Anon

Thanks, The site just contains image/name/description/price of stock items in a retail shop organised by category/subcategory, so there is not really any sensitive information here, I just want to make sure as much as possible that only the owner and I can gain access to the pages where all the changes are made. I have used Mysql/Php and i understand that there is md5() encryption and some others, so i was just wondering which would suit, since i dont believe that i will need a secure socket layer. Having never made a php/mysql site b4 i wanted to get it right the first time. So you you dont believe that i should put the login form within the same .php document? because if i put all the forms in one page then surely that is better? Thanks for your help...

bretticus

Just set up a plain ole jane website and stick a .htaccess file in it. That is by far the easiest option. You can setup one form and the "login form" is just a pop-up window.