I protected a directory using .htaccess. It works great but once the password is given it will allow access again and again without asking for a password again. It will do this until the browser is closed. Is there anyway to have it ask for the password each time the directory is accessed?
Darn! Well...what I was hoping was that if I had to, I could view my files on a public computer and be assured that no one could view them after I left. Guess I won't be able to do that.
Something like this might be possible, in retrospect, through PHP's HTTP_AUTH functions... I haven't looked into it much, but I believe there's a way to remove any authentication settings in the browser. If you called a function that did this on the load of each page, it would require the user to enter the password again. Of course, if you were just talking about any type of file, something like this wouldn't be useful for you.
What I mainly wanted to use it on was a "work page" that I made. On my web site I am selling products and this page allow me to access different shipping services and so forth. So I really don't want anyone to have access to it.
What I need is a login and logout type of thing. I was hoping .htaccess would do the trick.
As far as logout, .htaccess won't help you much... generally, the only way to log out is to close the browser window (unless there is an obscure PHP function that will clear the HTTP Auth information, which is stored in the browser, not the server as I incorrectly stated before)... maybe a header() function.
For security, .htaccess will adequately protect a page as long as no one's "listening" to your Internet connection, since the username and password are transmitted in plaintext. Personally, I use cookie authentication with a MySQL database (which doesn't improve the security... the only real way to increase security is to connect using an SSL connection). With cookie authentication, you can log out by deleting cookies, and you can make it easier for yourself by not having to type the information every time you want to access this page from your own computer (if you so choose; PHP has functions for either session cookies or time-expiration).
For added security, I use the md5() function to hash the password before it's transmitted, and then compare it to the hash of the password returned from the database for that username. I also use a "secret phrase" (hashed along with the password) to prevent guessing. Of course, every person has their own style of authentication, but this is more likely what you want since it ensures that (as long as the cookie is deleted) no one will "accidentally" log on after you.
Hope it helps!
Last edited by patenaudemat; 02-28-2005 at 02:24 PM.
I’m kind of new to all this so please bear with me. I’m not that familiar with php but will learn it if I have to. I am familiar with perl and would prefer to go that way.
So…
I will access the work page using SSL; then have a login that asks for a password. I will write a cookie which allows access and when I logout I will delete the cookie. If I don’t logout, the cookie will remain and allow access without asking for a password.
That doesn't sound insecure to me... in fact, there's probably a way you can accomplish the same thing with Perl.
Logging out is an extra security that comes with the cookies since the cookies can be deleted. However, as long as you set them as session cookies (usually just by not specifying an expiration date) it should be deleted when the browser is closed anyway (99.9% of the time).
By the way, with everything I was talking about with the MD5 hashing, that's only necessary if you don't have an SSL connection. My website doesn't have a certificate, so I encrypt things myself, but as long as you're connected via SSL everything's automatically encrypted.
Writing what I suggested in perl is a piece of cake. Just one thought here: Since I save the password in a cookie, is there any way I can encript it? The reason being is that if a cookie is left on a machine someone can read that cookie and the information left therein.
MD5 is usually a good algorithm to use for encryption... it's irreversible, so to check validity, just compare the hash of the password on file and to the hash in the cookie. This is easier to understand in pseudo-code:
Code:
IF cookie_value == md5(password) THEN is_cookie_valid = TRUE
You can use MD5 in Perl with the Digest::MD5 module (http://search.cpan.org/~gaas/Digest-MD5-2.33/MD5.pm). I recommend using the hexadecimal function (md5_hex) for a little added security over decimal. (In case you don't have root access, Digest::MD5 is installed on most servers by default). Have fun!
Last edited by patenaudemat; 03-01-2005 at 01:36 PM.
Originally posted by Mike Burdick Writing what I suggested in perl is a piece of cake. Just one thought here: Since I save the password in a cookie, is there any way I can encript it?
If you plan to use Perl and MySQL, then don't save the password, encrypted or otherwise, in a cookie. Instead create a random alpha-numeric string, a sessionID at each login.
Save that in the cookie and in the database for this user. You can now validate the user with the sessionID. When you logout, clear the cookie AND the sessionID in the database. Now even if someone knows the cookie value, once you logout, the cookie value will be useless.
Reply With Quote
Bookmarks