Greetings from cold Finland!
This isn't really PHP security related problem, so admins feel free to move this if needed.
I'm developing PHP system for customer. Customer adverts open jobs to the website and people can apply for the jobs using the website. Of course, applications might include confidental information. As for this, SSL is used. So now I'm building the "admin" side of the application. In admin section, applications can be browsed. Now my consern is to make sure that NOBODY outside company can log in to admin section. At first, I thought about using .htaccess .htpasswd authorization. Is this method 100% secure when password information is stored outside www-root or are there some weaknesses in this method? Another way is to build PHP log in system with MYSQL user database. I've done this kind of systems, but this time i want it to be 100% secure and as there's no need to for multiple users, I just feel that .htaccess user authorization might be enough.
All comments and conserns are welcome.
.htaccess authorization security
Moderator: General Moderators
Re: .htaccess authorization security
For one "internal" admin account which you don't exect to need his password changed very often, it's a perfectly good solution. .ht* files are unaccessible from the web by default (you might want to check though). You can also limit the access only to specific IP ranges, if that's applicable to your situation.