Jump to content
Sign in to follow this  
stevevan

Password-protection System

Recommended Posts

Here is a link to an easy solution for those that just want a password-protected "Members Only" area of their site. It requires less than what aMember Free membership software offers, and the best part of all.......it's FREE! Installation is pretty straight forward if you READ the readme.txt file that's bundled with the zip download. I had it up and running in less than 2 minutes. Check out the website for more info.

 

www.Locked-Area.com

Share this post


Link to post
Share on other sites

Oh... I like that. I may just change mine. The lite (free) one seems to have a few features that amember doesn't have. :)

Share this post


Link to post
Share on other sites

Yep, but there are some drawbacks too. One specifically identified by Steve is the members.db file is a pipe delimited flat file, not a real DB. Whereas aMember uses a MySQL db.

 

WHOA! Big security hole in my test install: check this out -

http://stoverdatasystems.us/lockedarea/members.db

 

LOL ok, that's not very secure! HMMMM.

Share this post


Link to post
Share on other sites

Hmmmm... just downloaded it and was looking on here where to set the perl path to... Now I don't know if I want to install it or not lol :)

Share this post


Link to post
Share on other sites

There should be a way to protect that file through chmod, but I don't have time to test it completely.... Anyone else that plays around with this app that could post back any findings would be appreciated.

Share this post


Link to post
Share on other sites

I wanted to try to install Locked Area to check it out but I get as far as uploading the files then when I try to install by going to http://mydomain/cgi-bin/setup.cgi I get an Internal Server Error (500). I don't know what to do next. I set all the permissions like the readme file said to do. :)

Share this post


Link to post
Share on other sites

nevermind.. I got it to work. I had to make sure the setup.cgi file was uploaded in ASCII. I had to go into my ftp program and add the .cgi extension to be uploaded in that format.

Share this post


Link to post
Share on other sites

I got the db list also, but only after I logged in and the script validated me as an authorized user. I'm not too up on password protection, but since the password is encrypted, would this be considered a serious security issue or not?

Share this post


Link to post
Share on other sites

I've gotten it working and I really like it a lot better than amember. And I feel since the passwords are encryted it's not too big of a problem.

Share this post


Link to post
Share on other sites
I got the db list also, but only after I logged in and the script validated me as an authorized user.  I'm not too up on password protection, but since the password is encrypted, would this be considered a serious security issue or not?

It appears that my members.db file is not in the protected area...

 

I installed LockedArea to the dir/lockedarea.

The area to be locked is in dir /mylockedarea.

The members.db file is located in /lockedarea, which is not locked :)

 

So, yes, provided that you specify the members.db location is within the locked area, then you should be nice and secure...until the member is logged in. Then with the specific file name, all members would be able to see the other members' profiles.

 

Charlotte, I wasn't really concerned with the encrypted password, but rather names and email addresses being unprotected from just any ol' bot or hacker or list finder that happened by. As a member, I'd be leary of joining a site that couldn't protect my email address.

Share this post


Link to post
Share on other sites

I guess it would then depend upon where you store it. If I remember correctly, in the installation process, you can specify what directory you want the database file stored. Maybe I'll try this later on tonight (unless someone else wants to). It would stand to reason that if the database was stored in some other directory (root for example) that is not publicly available, then the contents would NOT be visible simply by entering a url in a web browser.

 

Again, I'm not that strong in this department, so by all means correct me if my thinking is off-base.

Share this post


Link to post
Share on other sites

Steve, you're right on. It does give you the opportunity to enter the path of the db. Surely this can be made more secure just through using correct path options. I just wanted people to be aware that the default locations (as pre-filled by LockedArea) are at risk.

 

Post back here if you get any definitive suggestion for future users as to where the db file should be created. I'll try to tinker with some possibilities soon too.

Share this post


Link to post
Share on other sites

FYI... I reinstalled Locked_Area and put the members.db in an area that should not be accessable to anyone except for the people who have access to cpanel:

 

/home/username/dbsafe/members.db.

 

I think this may solve the question of email addresses being available. Someone else may want to hack away and let me know if my thinking is on line.

 

BTW...it works just fine installed like that, too!

Share this post


Link to post
Share on other sites

YAY so it seems root placement does work? And that doesn't cause a problem during the registration/login process for members?

Share this post


Link to post
Share on other sites
FYI... I reinstalled Locked_Area and put the members.db in an area that should not be accessable to anyone except for the people who have access to cpanel:

 

/home/username/dbsafe/members.db.

 

I think this may solve the question of email addresses being available. Someone else may want to hack away and let me know if my thinking is on line.

It's only safe from web browsers.

 

Anyone running PHP, or CGI, or shell scripts on the same server as you

can read it.

 

Web passwords only stop web browsers. They aren't good for security on

shared hosts.

Share this post


Link to post
Share on other sites

Thanks, idallen. More food for tho't. I guess it's just another way of keeping honest people honest.

 

As I said before, I'm not totally up on these types of issues (but I'm learning quickly!).

 

Thanks again!

Share this post


Link to post
Share on other sites

:) I use SmartFTP. It's uploading setup.cgi file as BINARY. Does anyone know how to change this in SmartFTP?

 

EDIT: I looked at the SmartFTP FAQ files. I found the answer. So, nevermind!

Edited by malesims

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...