Security Question

ziggs

Hey. Its me again. Ok here is my question now. What would be best for an admin thing? Security more/less. 1. Sessions 2. Cookies 3.All code on one page and it time out. Any other ideas that you have found that work well? This thing needs to have a heavily guarded admin function. What's everyone take on this?
Ziggs

[deleted]

there is no difference in security between 1,2, and 3, non of them have anything to do with security at all.

For admin functions, security means that you and you alone can access them, and that the scripts will only process commands if you issue them. This means that the scripts must be able to verify your identity. The simplest way to do that is to use SSL and simple .htaccess passwords. SSL means nobody can spy on your password nor your commands, and .htaccess means only people who know the password can get in. And every script must be able to verify your identity by your IP number.

A forum, a FAQ, email notification, what else do you need?

Time to YAPF!: http://www.hvt-automation.nl/yapf/

van__

A combo of rational thinking and a little trickery.

of course this shall be a user authenticated section, and yes... by all means do use sessions.

If you wanted to get real anal about it, you could create your own TCP auth feature by creating a list of known IP's for each authorized user in your database table, thus allowing access from that user/pass combo from a finite amount of IP's (or you could say within a range via regex or substr)
But that statrs to get involved (but hey... it's a security feature)

Another little trick you can pull (and one that I do recomend) is to place the admin page directory well outside your doc_root say someplace funky like /etc/myLib/ and then do something like this...

in your httpd.conf enter:
Listen 888 (or any arbitrary number)

Now that Apache will be listening to port 888 add a vhost...
<VirtualHost default:888>
DocumentRoot /etc/myLib/

followed by the rest of your host directives

</VirtualHost>

...if the server is NOT your default server, you can just specify it as so:
<VirtualHost myserver.com:888>

now just restart apache

If you do all of that you get the nicety of PHP_SESSIONS with users from authorized hosts and they all need to know the port to access your script to even find the login 🙂

that aughta be good enough for most stuff, unless of course you got like the FBI files from Roswell or something.

ziggs

So your saying put it behind a SSL server? Still have the same scripts but with SSL?
Ziggs

ziggs

I don't own the server. Its with ciwebhosting.com so I cannot change the httpd.conf file. Or I would do what you said. Any other ideas?
Ziggs

van__

Well, in that case you'll probably want to use your hosts free SSL server (if they give you one)

If they don't, you can ask your host to add a cname like authusers.mysite.com to your account and give that it's own little doc_root.

else, you'll just have to wing it with maybe a secret URL to some buried directory and vanilla sessions.

if you do use the secret URL,
be sure to create a robots.txt file to prevent any spiders from visiting that directory

Greetz Bot! <- very important line here

User-agent: *
Disallow: /path/to/my_secret/dir

ziggs

Thanks so much. I will look into it. Thank you!
Ziggs

Anon

be sure to create a robots.txt file to prevent any spiders from visiting that directory

Are you sure that's a good idea? Then any user could open yoursite.com/robots.txt and get a list of all your secret urls.

van__

ohh nice one Ellery.
Forgot about that, I always forcetype my robots.txt as PHP which checks the user agent to ensure that surfers aren't flagged as bots, so they don't get that stuff.

Ahh well.
Just .htaccess the damn directory and start sessions with $GLOBALS['PHP_AUTH_USER'].

ziggs

Ok thanks guys. I will use SSL, have password protected directories, and then have a login script pull from MySQL also. Sound good? Will it work is the main question. Any other things you would suggest? Thanks guys/gals!
Ziggs