Date: Sun, 5 May 2002 01:04:32 +0200 From: Emre Bastuz <info@emre.de> To: freebsd-isp@freebsd.org Subject: Re: OFF-Topic.Restricting access to pages. Message-ID: <1020553472.3cd4690038d26@webmail.emre.de> In-Reply-To: <5.1.0.14.2.20020504103436.025a9450@icsmx.com> References: <5.1.0.14.2.20020504103436.025a9450@icsmx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jorge, > She is on a project where she needs to restrict access to certain part of a > site according to certain user category. if the required access restrictions are on a per file basis, .htaccess seems the most quick and dirty solution, as you already have mentioned. > The other solution we were talking (I'm trying to help her) is to develop > some validation with PHP and a database, construct all pages on the fly > according to permissions. We know this could be a more extensive solution > and that will require more time and resources. If restricting access to php/html pages is sufficient for you, the php / database combination might be what you´re looking for. You can restrict access to certain php/html files of even parts of these pages to certain users or groups. This is possible and done fairly often - take PHPNuke for example (a php based portal software, that presents the functionality of the pages according to the perrmission level of the logged in user). You do not have to create this kind of permission system from scratch. There are already working solutions out there that are well known and stable. I would recommend using the perm and auth classes of the phplib: http://sourceforge.net/projects/phplib I believe that the Horde project has also implemented some kind of permission/authorization system. The Horde application framework seems like straight out of Star Trek to me - still, if you want to take a look at it: http://cvs.horde.org/ If you want to hide not only php/html but also binaries like gifs or png´s from users without proper rights, maybe you should consider putting those binaries into a database too (just an idea)? > We know that both solutions could work but we are worried (since we have > never done it before) on the security. I man, if users consult the pages, > let's say on a public library , the complete path of the pages will be in > the history of the browser user. Teorically a user could see the history > and enter the site without being asked again for the user and password. Is > that right? Yes and no. Horde and phplib use session identifiers that are usually only valid for a certain time. If somebody hijacks that sesssion identifier, while it is still valid (i.e. the user hast not used the "log out" button, the user has not closed the browser windows, etc.) he/she can create the url´s to the files. In all other cases, the session system should be fairly secure. The validity of the session identifier is, on the other hand, only checked by parsed scritps (php code). Binaries are of course not checked and usually can be called directly by entering the url. Good luck, Emre -- Emre Bastuz info@emre.de http://www.emre.de UIN: 561260 PGP Key ID: 0xAFAC77FD ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1020553472.3cd4690038d26>