[Resolved] Possibilities to make a site 'safe'

Grisu

I am currently setting up a PHP-application which should run on an internet-server. This application is only for certain people that get an username and password from me.

Now I want to make sure that nobody else can get any information out of this server. I would like to know your experience or ideas what I can do. I already have looked around and fount the following, but always a problem. Maybe you have solutions also for these problems:

.htaccess - Access with AUTH - Problem that if you safe a password in your browser for that path (the root-directory) you can not logout again.
Sessions - Problem that somebody might find a file on my server where I did not check the e.g. $_SESSION["logedin"] var. Especially for plain html-files or images but also for include-php-files
VPN - Problem that the user has to have a VPN-software running on his computer
SSL - Only a solution to make it safer in combination with .htaccess or Sessions.

What do you think about that and how do you handle that?

Thanks for your help.
Grisu

planetsim

Well its almost impossible to keep the security like that especially if you only want certain users to be able to view the site.

You will need some sort of user authentication to verify the user is allowed access so sessions will be required.

Depending on what your site is about and who it is for SSL is a bit drastic for a whole site and it only protects against spoofing which even then good hackers can go around.

Most of what has been suggested can be faked or passed around but of course the average user wouldnt know how, so it comes down to what is the site about and for

Corpheous

Session variables are about the safest thing I've found. What about encrypted cookies though? PHP cookies? When I open them up to try and "hack" them they don't come up with anything but huge encrypted strings with a couple text parts that mean absolutely nothing (domain site where cookie was set and the like).

daveyboy

normally i include a file inc/init.inc in all my php files - it takes care of other includes and sets site-wide variables. for sites with logins i usually have a function, require_login(), which checks the session for a username and redirects the browser to the login page if it can't find one, passing the url of the current page to the login script so they can be redirected back upon successful login.

just write such a function and call it in your config or init script or make it's called on EVERY page. you should call the function before any of the code on your page is run and don't forget to call exit() after sending header('location: ...') to make sure the user cannot interact with the script if they are not logged in.

for me, there's never a risk of forgetting to call the function, cos it's in the init.inc script, without which nothing will work anyway.

inc files are protected by .htaccess files. if you need to prevent access to other files on the server, you can block direct access to the directory with .htaccess and serve the files via a php script (images.php?img=private.jpg) which includes your login check.

Grisu

Thanks to all, some good ideas and comments I will use.

Grisu

mtimdog

My answer: use both .htaccess and session variables.

I like to use an index page and put all my other files in a folder with .htaccess.

When the index page loads--checks $SESSION vars to see if logged in. If not...include login form. If so, then proceed with including page by $POST or $_GET.