securing site

Report · Oct 29, 2010

Hi everyone!

Im using the user authentication to securing a site

Besides that, i'm using some basics security methods, like not indexing the whole folder i want secured, blank index.html in subfolders, etc.

I've got 2 questions about that:

1º: The password it's not actually encrypted right now. It's a regular VARCHAR field with plain text. How can i encrypt it, and how can i make a password reminder? (being plain text a password reminder is easy, but once the pass is encrypted, i need to make some script to replace the old pass with a new encrypted one... how can i do this?)

2º: It's that enough security? i don't want to secure credit cards or bank accounts. Just a basic CMS with some features, so basically the secured section it's the administration panel.

Thanks in advance

Cheers!

Report · Oct 29, 2010

Are you using CF or PHP?

Method 1 - regardless of what app language you are using, a sure and easy way to secure your admin is locate it in a folder and have securely set at the server level to require a log in to access the file. This effectively stops everything from getting to anything in the folder until successfully logging in. You need to be able to set this on the server level to assign a user or users and grant access to them access to the folder. If you host will allow this, it is an effective way to protect the folder. - The down side to this is it is a simple in or out situation. There's no way to allow different users different levels of access as you could doing this on an application level. If you need this you'll have to proceed to method 2

Method Two - Make the index page of the folder your log in page, then create a security check that if a user is not logged in and they are on any page other than the index page, automatically transfer them to the index / log in page. In the case of PHP, the script checking for log in status would need to be placed at the very top of every page in the folder so it runs at the first of every page request. For ColdFusion you can place the script in an Application.cfm or Application.cfc file. Since these files are run automatically at the beginning of every page request there's no need to place the code on every page.

This should give you the idea of how to go about this... Hope this helps.

--
Lawrence Cramer - *Adobe Community Professional*
http://www.cartweaver.com/

http://www.Cartweaver.com

Shopping Cart for Adobe Dreamweaver
available in PHP, ColdFusion, and ASP

Stay updated - http://blog.cartweaver.com

Report · Oct 29, 2010

Thanks Lawrence

I forgot to mention i'm using php.

I already put that code in the beginning of all the administration files.

Also made a login.php file, and in case the user is not logged in, in ANY page the user try to get, will be redirected to login.php. But i want to know if that's "enough" (never enough with security, but...) for keep newbie hackers outside. In other words, i want to know if that login security it's hard to break it with basic "hack" tools.

And in the other hand:

It's TOO bad that password field in database keeps in plain text? i mean, there would be only 1 user, the admin, and will be stored just his user and password inside the database.

I know i can protect the entire folder, but it's "ugly" in a design view point, and i also add an "edit bar" in the frontend, so, when the admin is logged in, the edit bar appers and the user can edit the content of that particular page. When the user logged out, the edit bar just disappear. So, with that bar, i think it's impossible to use the protected folder method, right?

Thanks again Lawrence, i really appreciate your reply