I'd be interested in your views as to the best way of user authentication & securing a Linux/Apache/MySql/Php site, initially running on a shared hosted server.

I've read the article in PHPBuilder and loads of other available tutorials . I've looked at quite a few code samples, but crunch time is here - I've got to implement one or approach or another, but what method is best?

Thanks, in advance

    simply using the .htaccess and .htpasswd files to password protect a directory is a fast and fairly secure way of handling a login and protecting data

    if you don't feel like spending the devel. time on the project, but would rather pay someone, I believe Verisign has some products/solutions that would do this

      I agree with Kevin on this one, using .htaccess and .htpasswd is a good way to do user authentication and if you need your script to run based on the name of the user logged in you can use $PHP_AUTH_USER or $_SERVER[PHP_AUTH_USER] depending on your version of PHP

        there is other, more secure ways if your interested

          If you are using basic authentication (ie using htpasswd to generate a password file) then that is a good way, but not very secure since it passes the password to the server in plain text. Of course the only way to get this password is to run a program to sniff the packets as they come out of a computer, which isnt done that much and can be detected with a good firewall...

          On the other hand, there is something called digest authentication (which is also available on an apache server). This only works with IE though, so if you are using anything else, you're screwed. This causes the browser to encrypt the password BEFORE it leaves your computer.

          However, as far as I am aware, there is no way of using variables with this type of authentication like there is with basic authentication.

            I think that running an ssl server helps, because i believe all information is encrypted.... however, that will really slow down your site...

            The other method that is not mentioned here is to hash the password before it get's sent from the client via javascript. But there again, you're reliant on the client to have a certain setup...

            Hope this helps 🙂

              Thanks for the useful info so far. I agree about the basic Apache .htaccess and .htpasswd authentication - it would certainly be easy to implement.

              The problem that I have is that the purpose of the web based app is allow the user to run reports from some network gear running on their WAN. This means that the app has to see the gear on the internal side of the customers' firewall and requires the passwords for this kit. I have to convince the network admins that there are minimal security implications in using my application over the internet.

              The thoughts about SSL are good, and I am looking into it (also with Verisign), however I am concerned about the speed implications of SSL as I don't want to run into connection timeout problems.

              Client side password encryption seems a good idea, particularly when used with something like the http://www.phpsecurepages.com app. I came across an excellent system at [url]http://www.polar-lights.com,[/url] however it is (quite rightly) designed to limit user access from known ip addresses and my users will need to access my app from various locations (different offices, home etc). I also cannot dictate the use of just IE browsers, although I can dictate that users have cookies and javascript enabled (as these are required to administer the networking gear directly). Quite a challenge!

              Devarticles - yes I am interested!

              Taking this a stage further - I am still trying to find out about the web server ip address transmission to the firewall. As my app sets up connections with the network gear through the firewall I understand that it is the web server, and not the client, ip address that the server sees. The app also runs reports from the equipments CGI bin via <img src = 123.123.123.123/?cgi> which, is from the clients browser - does the firewall still see the web server address for this transaction?

              Thanks for your excellent help so far

                probally the best way is to use a database.

                store all your passwords in a db

                encrypt the password with md5 or something.

                then create two functions, the first checks the given user name and password against the database, if its a match it stores the login in a second database, along with the ip and session id.

                in that function return a value of 0 or 1, 1= logged in, 0=failed

                on each page,

                call something like

                include "security_function.php";

                if(IsLoggedIn < 1)
                {
                //not logged in
                exit;
                }

                also create a second function, that grabs the values from the second database, so you can print something like this when they login

                welcome back, {name}

                if you want more details, let me know, thats just a really basic idea how i would do it

                  22 days later

                  Hi Devarticles,
                  I am a PHP/MySQL newbie. I would really appreciate if you could explain the secure login with session tracking in detail.

                  You could email me at waldarama@yahoo.com.

                  Thank you very much.

                  wald.

                    Write a Reply...