califdon wrote:Oh, OK, I didn't catch the connection between your remark "In the end, that is precisely what I did" and my suggestion. Good, I think that's probably appropriate for the particular situation you described.
Yes - you're right.
And now that you have presented more background of what you're aiming for, it makes good sense for you to learn about web security practices in some depth. I am not the best person to offer advice in that area, but I hope that one of our security gurus will jump in here and give you some suggestions.
I hope so as well. From my own database experience, I do understand the basic needs. I'm just not sure how to get ther, especially in an on-line environment. One of the reasons I initially asked about phpseclib is that in addition to the standard stuff (password hashing, data encryption, etc) it also handles sessions by using a session ID only once. The client I'm researching this for is a 24 hour operation and it's not unusual at all for employees of one shift to leave their computer sessions up when they change shifts. (It's been an on-going issue for years). So... I need to learn how to time out sessions and use tools that will make it harder to steal a session.
Any advice offered by the folks here would be greatly appreciated.
I understand the tricky situation with your client's IT department and have had a little experience with that kind of situation (I was an employee, outside IT) and, as you probably know quite well, it can be a treacherous situation. Internal politics can lead to some nasty confrontations and could even jeopardize your arrangements with the company. But that's something only you can evaluate.
Well, luckily I don't have to deal with the politics. The person who brought me on board heads up the division and he's handling all the politics. That said, I've several clients and most of the IT departments I work with are great. In general I've a lot of respect for the folks in IT, they're expected to know everything from hardware, through networking and into programming. The smaller the IT department, the more they're expected to cover. I'm lucky, I just get to focus on programming.
But this IT department is dysfunctional - it's the common problem of a leader setting a tone (and in this particular situation the tone is not very productive). Bottom line the division head I report to doesn't trust that a job will get done right if IT is involved. He's concerned about using the organization's website for a lot of reasons, one of which is security. He doesn't trust that folks in the IT department are taking all the precautions they should be taking. And speaking from personal experience with the classical database projects I've worked on, I've the same concerns. They don't know how to properly secure a classical database (and I assume those aren't as hard to secure as something on-line and open for the whole world to get to).
Which gives me all the more motivation to learn proper techniques of securing on-line databases.
Anyway califdon, thank you for your advice and council, it is appreciated.
Pavilion
P.S. Now that this topic has evolved from a specific question about Url's to a broader discussion about security, would it be possible for an Admin to move the topic to the
PHP - Security forum? Thank you in advance.