secure members area blocked by one password

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

secure members area blocked by one password

Post by iknowu99 »

I would like to create members only area. No unique username/passwords are required. Just one password, where when members sign up i can send them this pass and they can login. I am currently using only html and office frontpage for the website.

i realize this might have members passing the password to others, this is something i wouldnt be too happy about, perhaps you peoples have a solution?
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: secure members area blocked by one password

Post by califdon »

iknowu99 wrote:I would like to create members only area. No unique username/passwords are required. Just one password, where when members sign up i can send them this pass and they can login. I am currently using only html and office frontpage for the website.

i realize this might have members passing the password to others, this is something i wouldnt be too happy about, perhaps you peoples have a solution?
You have 2 choices: you can let everyone have the same password (easy to do, you can even do it with a simple .htaccess file, if it's an Apache server, but has the disadvantage you recognize), or maintain an individual password system (requires maintenance for new or lapsed members, but gives you better control, including barring troublesome users). You can either do it with an .htaccess file that refers to a .passwd file (which has to be maintained) or with PHP and a small database. Your choice between the 2 is up to you. The number of potential members and how frequently you get new members or drop old ones should factor into your decision.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: secure members area blocked by one password

Post by Mordred »

If you want to sacrifice security so much (as to have a single password for many users), you can do it with with even lower tech -- a simple javascript:
User enters the "password" in an input field, you redirect them to "password".html, and if they typed it wrong they get no cigar. The .js can be as smart as to check if "password".html exists as well.

Just don't write the check like
if (password=="123456") window.location('secret.html')

I've seen such things once too often in the past...

Take care never to link to the secret url though, or the bots will crawl it, and then it's game over.

If it's really really secret data, you'd better listen to califdon, .htaccess is more secure, plus it can easily be extended to support multiple accounts.
User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

Re: secure members area blocked by one password

Post by iknowu99 »

thanks peoples!


right now it's ridiculous because i use the mordred's method of "password" .html
and i want to switch quick!

i would like to apply the .htaccess and i am fine having one password that califdon describes.

i really dont know what this .htaccess file does and how it works.

right now i have a html site that was created in frontpage. how to create this .htaccess file password system?
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: secure members area blocked by one password

Post by jayshields »

User avatar
iknowu99
Forum Commoner
Posts: 39
Joined: Thu Aug 14, 2008 3:20 pm

Re: secure members area blocked by one password

Post by iknowu99 »

i learned i need to put the password in that file as well as block bad bots - http://www.javascriptkit.com/howto/htaccess13.shtml

what i also am trying to understand is in robots.txt file i can disallow robots to go to specific webpages...but if i mention them in robots.txt file....then the malicious users will know exactly where to look for the information without getting the members pass??

i'm hosting with yahoo small business >> will i be able to use the .htaccess at all?? where does one learn more?
Post Reply