|
Posted by Raymond Still on 01/31/05 06:53
On Sun, 30 Jan 2005 18:49:41 -0800 (PST), "Richard
Lynch" wrote:
>
> Raymond Still wrote:
> > Hello;
> > I'm trying to figure out the best (most secure and
> most
> > user friendly, security of primary importance) way
to
> > let a user log-in.
> > I am setting up a web application (database
> > application) that will be for private use only and I
> > want to keep it secure.
> > As I understand it, using the Apache htaccess method
> is
> > secure as there is essentially no communication
> without
> > a username and password, but it does lack a little
in
> > flexibility and presentation.
> > On the other hand, PHP certainly has the edge on
> > flexibility and presentation, but I have questions
> > regarding it's security. If you look at the threads
> > regarding connecting to databases, you often see a
> > warning to the effect of: store your connection
> > password etc, outside of the document path in case
PHP
> > fails and your file is displayed unprocessed.
> > So my question is, how can you count on PHP to log
> > somebody in, and prevent access to files when PHP
may
> > fail, or the user could just go into the directory
> > structure and bypass security.
>
> You've smushed about 5 different security issues into
> one giant ball of
> snarled yarn.
>
> Your question is roughly allegorical to:
> How can you call a deadbolt secure when the home-owner
> could just leave
> their ADT off and the back window unlocked?
>
> Now, for starters:
> HTTP Authentication is not particularly secure over a
> non-SSL connection
> as the password is transmitted in plain-text.
>
> In fact, for *ANYTHING* where security matters for
> logging in and out, use
> SSL.
>
> After that, there's no real "win" to HTTP
> authentication except for that
> cool/annoying popup window.
>
> You've got a long way to go before you properly
> understand all the
> security issues you've jumbled together -- Took me
> forever, too. :-)
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
Hello;
Your absolutly right and I freely admit it. I know just
slightly more than zero about internet security. :)
Can any one recomend some good resources so that I can
learn? I'm not looking for "use this function" or "that
program", but something that will help me to actually
understand.
TIA
Ray
Navigation:
[Reply to this message]
|