Question
How (in)secure is this?
Ok, I admit I'm pretty clueless when it comes to security.
It's never been an issue in the few apps I've built. I've got one
now though that requires basic login security. I want to run my
idea by you guys and see how bad it is...
First off, I'm not securing anything all that important. No financial data, not much personal information. Nothing anyone could use for a scam or anything more malicious than putting people on a spam list. But I do want to keep different database tables somewhat secure, viewable only to the users who have the username and password for that section.
Here's what I'm thinking:
1. A master login page that takes a username and password, stores as session variables, then goes....
2. ...to a page that pulls the record that matches that username out of a database table. A cfif statement will also check the password to verify it matches. If the username and password session variables don't exist, or if the password doesn't match the password stored in the DB record for that username, cflocation back to the login page.
3. If the username and password DO match the info stored in that database record, cflocation to that user's folder of the website (that path stored in the database record). Every page in this folder (only a few) will have code that verifies that the username and password session variables exist, and that the password matches the value stored in the DB record for that username. If not, cflocation back to the login page.
This will be a mySQL database, and I will turn directory browsing off.
The main problem I see is that it won't really guard a user with a valid password from accessing an area of the site that isn't intended for him, if he knows the exact path to get there (which hopefully he can't figure out). I figure I could fix this by hardcoding in the required password and username values for that section, but I want a template I can use to create new user folders, without having to tweak the authentication code for each new folder.
So, pretty damn generic. With directory browsing off, is there an easy way that a non-hacker type of user could figure out the path to another user's section of the site?
Or, is there another easy way to do this that doesn't require code tweaks every time I set up a new section?
Thanks...
Joe
First off, I'm not securing anything all that important. No financial data, not much personal information. Nothing anyone could use for a scam or anything more malicious than putting people on a spam list. But I do want to keep different database tables somewhat secure, viewable only to the users who have the username and password for that section.
Here's what I'm thinking:
1. A master login page that takes a username and password, stores as session variables, then goes....
2. ...to a page that pulls the record that matches that username out of a database table. A cfif statement will also check the password to verify it matches. If the username and password session variables don't exist, or if the password doesn't match the password stored in the DB record for that username, cflocation back to the login page.
3. If the username and password DO match the info stored in that database record, cflocation to that user's folder of the website (that path stored in the database record). Every page in this folder (only a few) will have code that verifies that the username and password session variables exist, and that the password matches the value stored in the DB record for that username. If not, cflocation back to the login page.
This will be a mySQL database, and I will turn directory browsing off.
The main problem I see is that it won't really guard a user with a valid password from accessing an area of the site that isn't intended for him, if he knows the exact path to get there (which hopefully he can't figure out). I figure I could fix this by hardcoding in the required password and username values for that section, but I want a template I can use to create new user folders, without having to tweak the authentication code for each new folder.
So, pretty damn generic. With directory browsing off, is there an easy way that a non-hacker type of user could figure out the path to another user's section of the site?
Or, is there another easy way to do this that doesn't require code tweaks every time I set up a new section?
Thanks...
Joe
AdChoices