Posted by Aidan on 10/19/37 11:21

"Phil Coen" <nobody@nowhere.com> wrote in message
news:e5ydncAmHY4WrErfRVn-jw@giganews.com...
>I have never tried to build a web site to restrict users. Before, I always
> wanted everyone to be able to get to everything that I put on one of my
> sites. So now I am trying to write (actually just to learn to write) a
> site with a passworded front door. That is to say, you don't get in
> without the password. Not a thermonuclear secure site proof against
> crackers, the CIA and so forth - just a site with authorization needed.
> Kind of like they do at online newspapers.

So, you just want people to have to login before they reach the content of
your site? No need for encryption (SSL)?

> Right now it is the concept that I am needing. I spent the day in the
> bookstore trying to find a book on the subject but no dice. All web
> building books just concern themselves with fancy HTML concepts and PHP
> books just on using the language. Apache books have quite a few chapters
> on security, but only from the standpoint of preventing deep cracking,
> open
> proxies, etc. Could find none that were concerned with how to actually
> build one. Ok, so back to figuring it out.
>
> One way that worked is to check (after the login in screen) the
> PHP_AUTH_USER and PHP_AUTH_PW at the start of every module that I call.
> Works ok, but seems to be a kludge.
>
> The method that I am trying now is to put everything past the login module
> into a subdir, put authorized users into a Linux group, and give access to
> that group. But so far the examples of passing the user and password from
> PHP to the Linux server aren't working. Or rather to say that I haven't
> made it work yet. Well, actually I can do it with Perl easily, but that
> isn't the point and I will never learn PHP if I go back and use what I
> already know.

Generally, my approach is this:

1. Present a (secure) form, asking for a user/pass pair
2. Check this user/pass pair against a list of user/pass pairs. I usually
store them in a database, but a flat file will work too.
3. If a match is found, start a session for the user with an 'Authenticated'
flag.
4. Each page they subsequently access looks for this 'Authenticated' flag in
the session. If it exists every thing is OK, and you can deliver them the
content... but if it doesn't exist, redirect the user the the login form
(step 1), and pass the URI they tried to access to the login page. If they
login successfully, redirect them to the page they initially requested.

> Insights anyone?

Hope that helps.

> Thanks
> Phil
>
>

• Next in forum: Re: URGENT HELP - form submit stops working when so many check boxes checked - Why?
• Prev in forum: Re: Can anyone help me with this problem please....?
• Thread view: Re: More questions on security.

[Reply to this message]