Simple site security?

andrew_embassy

So I've got this site- and as I was developing the admin section of the site I was too engrossed in developing the technology to think too much about security. So right now the section of the (not yet live) site has pretty much no security.

I need a relatively simple way I can restrict access to this section of the site- but I'm kind of blanking on how to do it-

what upon successful login putting a cookie on the users machine?

if (!$username == "whatever" or !$pwd == "cha") {
exit('you don't have access');
}

but will that just end the current php script? These are mixed php and html pages...

What about _Halt_Complier();?

Thanks in advance!

bbreslauer

Shameless plug: I have a login script here (http://filletoghoti.com/projects.php) which requires PHP and MySQL, and has been pretty secure in my attempts, though I won't garantee the security, for obvious reasons. I use it in the admin sections of websites I create, and it's fairly flexable, so you should be able to incorporate it pretty easily.

Regarding what you proposed: cookies can work, and they are used in a number of places. Just make sure that the cookie gets deleted upon logout of closing of the browser, and that you set an expiration date, or else you'll have a security hole there.

Also, you shouldn't have the password in the script itself, as that is a security hole as well. It should be stored somewhere else, and access to that should be restricted as much as possible.

I've never used _Halt_Compiler() (or heard of it, for that matter), so I can't comment on it. Though, the exit() function will stop the page from loading any of the content beyond the exit() command.

justsomeone

I was too engrossed in developing the technology to think too much about security.

But security is part of technology. Trying to bolt it on afterwards is never the right approach.

duppie

Try Session_start. Works fine for me.
All server side. No cookies. MD5 pass encryption

andrew_embassy

justsomeone wrote:
But security is part of technology. Trying to bolt it on afterwards is never the right approach.

thanks, dad.

andrew_embassy

duppie wrote:
Try Session_start. Works fine for me.
All server side. No cookies. MD5 pass encryption

I need to do more research on how Session_start is implemented... I may end up doing that...

maxpup979

depending on the complexity of your app, as well as your environment, you may just be able to lock down the admin section with an htaccess file. No username and password=no way to view the secure files.