dcsimg
A Flash Developer Resource Site

Results 1 to 6 of 6

Thread: passwords and security

  1. #1
    Official FK nice guy and MOD 3PRIMATES's Avatar
    Join Date
    Apr 2002
    Location
    Portland Oregon
    Posts
    1,645

    passwords and security

    Hello,
    just a quick question or two on password protecting a page. I am using PHP as my scripting language..

    Question 1:
    I would like to create a password protected page and this is what Im thinking. Please take into consideration that I know very little about internet security.

    I have an administration page where I can add a user name and password into a users table in my Mysql database.

    I was thinking about just storing these user names and passwords un-encrypted.

    Now when a user tries to login, the database is queried, and if the result returned is zero(0) rows for the name and password combination, the password auth fails.

    Is this the wrong way to go about this?

    Question 2:
    On the protected page itself I need to verify that the user attempting to view the page is the logged in person.

    How would I go about doing this?

    Thanks for any insight...
    3PRIMATES

  2. #2
    Senior Member
    Join Date
    Aug 2000
    Location
    Seoul, South Korea
    Posts
    1,310
    Hi there,
    You'll obviously require the same authentication process on your admin page.
    Here's an example of a Flash/PHP/mySQL authenticator from Sephiroth.

    Cheers,
    micmac
    !.....................................COMING SOON

  3. #3
    Official FK nice guy and MOD 3PRIMATES's Avatar
    Join Date
    Apr 2002
    Location
    Portland Oregon
    Posts
    1,645
    Hi,
    well actually I was just going to use .htaccess...
    I figured that would be the most secure way to go about protecting the admin directory and php scripting..

    I'll take a look at your link and see what I can find out..

    Thanks..

    3PRIMATES

  4. #4
    Registered User
    Join Date
    Feb 2001
    Posts
    13,044
    Hi 3Primates,

    so you actually want to put mysql-based htaccess to work? Maybe your provider has already set it up this way; otherwise your admin script would have to modify the htpasswd file

    Musicman

  5. #5
    Official FK nice guy and MOD 3PRIMATES's Avatar
    Join Date
    Apr 2002
    Location
    Portland Oregon
    Posts
    1,645
    Hi Musicman...
    Actually the admin area I had planned to just use a typical .htaccess, nothing special. I really dont need anything other than that I wouldnt think.

    The DB is for a protected page of the website.
    Look at the 2 questions in my first post..That is pretty much what I need to know about..

    In the admin section the administrator can add un-encrypted names and passwords in to a database table.

    In the public area of the website, there is a section to allow members to sign in.

    The members sign in with the name and password given to them by the admin.

    The name and password are checked against the database.
    If the search returns 0 rows, then the password check has failed, if not, access is granted.

    Pretty basic, I know, but Im still trying to figure things out, and do it the right way..

    Thanks..
    And sorry Im so confusing...LOL

    3PRIMATES
    Last edited by 3PRIMATES; 05-08-2003 at 04:27 AM.

  6. #6
    Registered User
    Join Date
    Feb 2001
    Posts
    13,044
    Hi,

    characteristics of htaccess protection:
    a) every single file is protected (the pw is sent in clear for every single-pixel transparent gif)
    b) access control is usually performed by browser dialog
    c) passwords are considered static and are often kept in an encrypted text file - there is an alternate scheme using mysql
    [It is next to impossible to make a "logout" button work, other than by changing the password]
    d) you need some privileges on the server in order to enable htaccess protection - if your host features htaccess control through a control panel, you may not be able to override that

    characteristics of script-based protection:
    a) only script files are protected - you have to add code to every file you want to protect
    b) access control is performed via a html or flash form
    c) you can log out from sessions, and sessions can expire. You need some extra steps if you want unusually long expiration times
    d) you do not require any special privileges

    These characteristics are quite disparate, so whether or not you can successfully mix them will depend on various things - the ability to install restrictions yourself via a htaccess / htpasswd file is crucial

    Musicman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center