restricted area

kante

Let's say I'll have a restricted area. A set of users enter they username and password session start then browse the private contents.

It would be nice to restrict the access from a single IP. But since the users need to access from home too... this is not possible. and since they access from untrusted PC they may be source of security issues...

What would u suggest to increase the security to have something more than the simple user/pwd couple?

I have the following ideas :
a) use a internet address like http://safe.mysite.com and the in the php script cheack if the hostname is like that or else log out the user...

b) give a keyfile to the users ... is it possible to implement?

c) implement the pinPAD as additional security input

I wait for comments
thank you vM :-)

dagon

if username\password over https is good enough for my bank, do you really need any more security?

ip is pointless as you point our multiple places, also lots of users ip's change every time they log in, and some may use a new ip for every request.

reli4nt

Sometimes the best security approach is to just assume someone will get in and take it from there:

Log out the session after a period of inactivity.
Don't make the site hard to use (when it is hard users take shortcuts that may compromise security).
Limit the harm a malicious user can do.
Assume all users are malicious.
Back up everything so that you can always undo any harm that has been done.
As so on...

kante

Thanks to all for these basic suggesions..
@: in my post I said i cannot restrict from IP. That wasn't an option already

But I wish I could read an higher level programming security tip...