[ale] Web Login

Calvin Harrigan charrig at earthlink.net
Tue Feb 12 12:19:52 EST 2002 

Ideally I would like to use https for at least the initial login.  I would like to identify the user using maybe a cookie through out there visit to the website.  I would also like to lock them into there own directory, if they logout they'll be place back in a public area.  Sort of like a chrooted ftp server.  As far as security, I would like to prevent users from getting into other areas except public areas and there own directories.  Public areas being things like the front/home page, the login screen, etc.  Hackers to the web server (the only server on the machine) will have to be handled in some manner, using standard safe server configurations and firewalls are probably a step in the right direction.  Man-in-the-middle attacks, hmmmm, not sure about that one.  Hopefully I've more clearly described what I'm attempting.

Thanks.

Calvin...


Are we only talking about idenifying the user once?  What about 
> subseqeuent pages?  Secure from snoopers at what level? people that can 
> access packets anywhere? Man-in-the-middle attacks?  Someone who hacks 
> your web server?  Your database server?

-----Original Message-----
From: David Corbin <dcorbin at imperitek.com>
To: ale at ale.org
Date: Tue, 12 Feb 2002 12:02:51 -0500
To: Jason Lynn <jason_lynn_ at hotmail.com>
Subject: Re: [ale] Web Login 


> But that's not a very secure method (unless you're doing https). 
>  Passwords passover the wire encrypted, but decrypting them is very 
> easy.  The requirement "secure" needs more definition:
> 
> Are we only talking about idenifying the user once?  What about 
> subseqeuent pages?  Secure from snoopers at what level? people that can 
> access packets anywhere? Man-in-the-middle attacks?  Someone who hacks 
> your web server?  Your database server?
> 
> I don't mean to make it complicated, but then, it already IS complicated.
> 
> Jason Lynn wrote:
> 
> > If you're using apache, look into htpasswd for generating password 
> > files.  Then you use a file .htaccess (I think that's right), that 
> > contains certain directives, in the directory where you want to 
> > prevent access.
> >
> >
> >> From: "Calvin Harrigan" <charrig at earthlink.net>
> >> To: ale at ale.org
> >> Subject: [ale] Web Login
> >> Date: Wed, 13 Feb 2002 00:02:11 +0800
> >> MIME-Version: 1.0
> >> X-Originating-IP: 216.91.92.7
> >> Received: from [209.195.36.194] by hotmail.com (3.2) with ESMTP id 
> >> MHotMailBE3287B7009D40043188D1C324C20CD60; Tue, 12 Feb 2002 08:03:04 
> >> -0800
> >> Received: (qmail 25499 invoked by uid 511); 12 Feb 2002 16:02:12 -0000
> >> Received: (qmail 25493 invoked by alias); 12 Feb 2002 16:02:12 -0000
> >> From ale-return-4349-jason_lynn_ Tue, 12 Feb 2002 08:04:28 -0800
> >> Mailing-List: contact ale-help at ale.org; run by ezmlm
> >> Precedence: bulk
> >> X-No-Archive: yes
> >> list-help: <mailto:ale-help at ale.org>
> >> list-unsubscribe: <mailto:ale-unsubscribe at ale.org>
> >> list-post: <mailto:ale at ale.org>
> >> Delivered-To: mailing list ale at ale.org
> >> Message-ID: <20020212160211.22055.qmail at earthlink.net>
> >> X-Mailer: MIME-tools 5.41 (Entity 5.404)
> >> X-Originating-Server: ws2-3.us4.outblaze.com
> >>
> >> Greetings,
> >>  I have a question, what would be the best way to implement a secure 
> >> login to a website.  I've seen many solutions/means/ways of doing so 
> >> on the net but none seem standard or straight forward.  I would like 
> >> to create a web page with a login field and password field with a 
> >> submit button that calls a script to verify the password and grant 
> >> access to the web site.
> >> I would like a secure/simple method of doing so, any suggestions?  
> >> Backend languages I can use are php, perl, shell script,c/c++.
> >>
> >> Thanks...
> >> -- 
> >>
> >>
> >>
> >> ---
> >> This message has been sent through the ALE general discussion list.
> >> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
> >> should be
> >> sent to listmaster at ale dot org.
> >>
> >
> >
> >
> > _________________________________________________________________
> > MSN Photos is the easiest way to share and print your photos: 
> > http://photos.msn.com/support/worldwide.aspx
> >
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems 
> > should be sent to listmaster at ale dot org.
> >
> >
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
> 

-- 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list