|
|
Posted by Peter Fox on 03/10/06 11:41
Following on from Peter Chant's message. . .
>I'm considering setting a website up for a club. I do not plan the contents
>to be for public consumption, but on the other hand I'm not going to have
>anything on there that is confidential, that would cause a problem if it
>went further.
I've just read the 10 or so messages in this thread and here is my
different suggestion.
* You might find it extremely useful to identify (with reasonable
confidence short of definite) who is accessing the site either for
statistics or general policing. eg What do you do if somebody leaves
the club? So one ID per person sounds a good idea.
* You already have some sort of ID system in your membership list. Ie.
some unique tag that you control and doesn't change at the whim of the
member (eg email address can change but club membership number is
fixed.)
* If you email people their access 'code' then that's a reasonably
private thing. The problem you are majoring on is getting people to
type in 'their membership number' [For purposes of discussion I'll
ignore spoofing considerations of using a membership number - you
wouldn't use that.] All you do is email them an address such as
<http://myclub.co.uk/members.php?MbrNo=12345> which is different for
each member.
Your 'index.htm' page is for non-members with a bit linking to how to
access members area (including what if you are a member but unexpectedly
here.)
members.php redirects duff $_GET['MbrNo'] values to the front page.
Your joining instructions go as follows:
1. Go to myclub.co.uk and click on 'I am a member'
2. Enter your name, number, email address and street name
The system then sends you an email informing you how to access the
member's area.
(You log the information for the benefit of the membership sec who can
check street names. The access code is some hash or random number.)
3. Go to the web page indicated in the email AND BOOKMARK IT.
(You might also attempt to set a cookie, that can be fallen back on if
the user goes direct to the main page.)
Can you see what's happened? The access key is in the bookmark and
doesn't rely on cookies or memorising passwords or any typing in.
When a page is accessed with ?MbrNo=12345 you should start it with
"Hello Charlie Smith" just so _everyone knows_ the system has identified
them. If Bots get to index.htm then that's great 'cos you presumably
want to let non-members know of your Good Works. But make sure there is
no link between index.htm and members.php (even if members.php is botted
all that happens is a redirect to index.htm 'cos no bot will know the
?MbrNo bits required.
--
PETER FOX Not the same since the borehole business dried up
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Navigation:
[Reply to this message]
|