Hello and Happy Holidays to the family...
I have been learning PHP for a few weeks and I really think that I have picked up the basics and intermediate uses quite well. I have assembled the basic structure of my new site and I am loving the uses of Server Side Dynamic pages... My current thought processes have gone to Security and User authentication. While I am not one prone to reinvent the wheel, I am prone to trying to understand everything that is happening so that I can make modifications as needed and not have to rely solely on the help of others... In addition to a lot of googling and sifting through results I have scanned the entire TCH Security forum and have come up with some TCH questions, as well as some conceptual questions that hopefully my new family can assist with.
Firstly let me give you some background on my expected security needs... I don't need first-rate Fort Knox type security... I will not be handling overly-sensitive user data... no credit cards or social security numbers... basically I will just have "registered user" areas that I want to be "relatively" certain are being viewed by registered users.
Intro on my current plan
I will be using cookies and sessions for redundancy as well as coverage for users w/ cookies disabled.
I have protected my included/required files with a set of custom functions called establishHackCheckL#() and runCheckHackL#() that I will explain in a bit.
I have buried my database connection info in layered requires.
I intend to setup folders containing sensitive data (such as function definitions and db connection info) so that if accessed directly, they fail to send data to the browser.
Details of what I have done
Use of cookies/sessions...
Rather than store Username and Password info in the cookies... I am creating a "authentication code" using the sessionID and a random sequence generator... Upon login the authcode is placed in a cookie called user as well as an entry in the database attached to the user's ip address and current timestamp. The Session recieves a serialized variable called auth and the authcode is placed within. On each page the authcode will be referenced against the ip address in the DB, and if false the guest would need to login. If the session in non-existant, because the user is visiting the site again the site will check for the cookie and validate the authcode/ip relationship then establish the session again. Since many visitors may visit from multiple locales (school, home, work etc...) the authcode tracking table actually will keep tabs on 5 ip addresses and should there be a sixth login point, the system will overwrite the entry that hasn't been used for the longest period of time... Now I know that people with Dynamic IP addresses (which is alot of people) will have to login everytime their addy changes, but I am confident that my audience is okay with that.
establishHackCheckL#() and runCheckHackL#()...
All of my rootpages have a sans-$ variable (I think the term is pagevar) that is established and the entry in that variable is a long static alpha-numeric code... 99% of the sub-pages (included and required files) all check to see that the variable is established, and that the entry is the expected code... if this two-layer check fails, the page dies and all available data is logged in a db via a db connection that only has insert access to a db that only has one table... and it is dedicated to logging hack attempts. If any ip is logged 10 times in a 24hour period it is flagged and a message shows up in the admin panel I have constructed... if it is logged 20 times in the same period the ip is banned (via php/mysql) for a 72 hour period and the admin is notified. Then I can decide if I want to perma ban the ip and look deeper into it.
DB Connection info in Layered Requires
After the above "Hack Check" is established in a root page, a page is required that houses the db select info "mysql_select_db()"... before selecting however a second HackCheck is established (Level2) and a page is required that calls the "mysql_connect" command... on that page, again before connecting to the host, it checks for the Level 2 hack, establishes a Level 3 hack and requires yet another page that houses my host name, username, password, db name... Overkill, probably.
Based upon these brief descriptions, does anyone have any immediate "red-flags" that go up regarding hackability or implementation problems? I can go into more detail and provide generic-ized code to explain further if neccesary...
Now for some questions... One of the initial resources I have used for learning PHP/MySQL basics is the VTMs at http://www.3dbuzz.com They are very beginner level, but great. In the Integrating PHP/MySQL video they edit the httpd.conf file in Apache to make folders unaccesible in a direct manner, but files within "include-able" and "require-able"... I am wondering if TCH users can accomplish this, or if it is something we cannot access. If it is unavailable, is there a way that we can make access to a folder limited in the same manner?
Is using PHP/MySQL in conjunction with weekly changed passwords likely to provide enough security for my admin pages, or should I use the directory level password protection built in to the cPanel... I can use either, but I there are some decent benefits of using PHP based... I had hoped to make some dynamic code in all my pages that offer admin privileges directly on the page...
I am sure I'll have other questions, but I don't want to overwhelm over the holidays... thanks for indulging me and an any input will be appreciated.
Cheers.
