stevevan Posted July 20, 2003 Share Posted July 20, 2003 Here is a link to an easy solution for those that just want a password-protected "Members Only" area of their site. It requires less than what aMember Free membership software offers, and the best part of all.......it's FREE! Installation is pretty straight forward if you READ the readme.txt file that's bundled with the zip download. I had it up and running in less than 2 minutes. Check out the website for more info. www.Locked-Area.com Quote Link to comment Share on other sites More sharing options...
Lianna Posted July 20, 2003 Share Posted July 20, 2003 Thanks Steve! Quote Link to comment Share on other sites More sharing options...
cmuskett Posted July 20, 2003 Share Posted July 20, 2003 Oh... I like that. I may just change mine. The lite (free) one seems to have a few features that amember doesn't have. Quote Link to comment Share on other sites More sharing options...
Lianna Posted July 20, 2003 Share Posted July 20, 2003 Yep, but there are some drawbacks too. One specifically identified by Steve is the members.db file is a pipe delimited flat file, not a real DB. Whereas aMember uses a MySQL db. WHOA! Big security hole in my test install: check this out - http://stoverdatasystems.us/lockedarea/members.db LOL ok, that's not very secure! HMMMM. Quote Link to comment Share on other sites More sharing options...
cmuskett Posted July 20, 2003 Share Posted July 20, 2003 Hmmmm... just downloaded it and was looking on here where to set the perl path to... Now I don't know if I want to install it or not lol Quote Link to comment Share on other sites More sharing options...
Lianna Posted July 20, 2003 Share Posted July 20, 2003 There should be a way to protect that file through chmod, but I don't have time to test it completely.... Anyone else that plays around with this app that could post back any findings would be appreciated. Quote Link to comment Share on other sites More sharing options...
cmuskett Posted July 20, 2003 Share Posted July 20, 2003 I wanted to try to install Locked Area to check it out but I get as far as uploading the files then when I try to install by going to http://mydomain/cgi-bin/setup.cgi I get an Internal Server Error (500). I don't know what to do next. I set all the permissions like the readme file said to do. Quote Link to comment Share on other sites More sharing options...
cmuskett Posted July 20, 2003 Share Posted July 20, 2003 nevermind.. I got it to work. I had to make sure the setup.cgi file was uploaded in ASCII. I had to go into my ftp program and add the .cgi extension to be uploaded in that format. Quote Link to comment Share on other sites More sharing options...
stevevan Posted July 20, 2003 Author Share Posted July 20, 2003 I got the db list also, but only after I logged in and the script validated me as an authorized user. I'm not too up on password protection, but since the password is encrypted, would this be considered a serious security issue or not? Quote Link to comment Share on other sites More sharing options...
cmuskett Posted July 20, 2003 Share Posted July 20, 2003 I've gotten it working and I really like it a lot better than amember. And I feel since the passwords are encryted it's not too big of a problem. Quote Link to comment Share on other sites More sharing options...
Lianna Posted July 20, 2003 Share Posted July 20, 2003 I got the db list also, but only after I logged in and the script validated me as an authorized user. I'm not too up on password protection, but since the password is encrypted, would this be considered a serious security issue or not? It appears that my members.db file is not in the protected area... I installed LockedArea to the dir/lockedarea. The area to be locked is in dir /mylockedarea. The members.db file is located in /lockedarea, which is not locked So, yes, provided that you specify the members.db location is within the locked area, then you should be nice and secure...until the member is logged in. Then with the specific file name, all members would be able to see the other members' profiles. Charlotte, I wasn't really concerned with the encrypted password, but rather names and email addresses being unprotected from just any ol' bot or hacker or list finder that happened by. As a member, I'd be leary of joining a site that couldn't protect my email address. Quote Link to comment Share on other sites More sharing options...
stevevan Posted July 21, 2003 Author Share Posted July 21, 2003 I guess it would then depend upon where you store it. If I remember correctly, in the installation process, you can specify what directory you want the database file stored. Maybe I'll try this later on tonight (unless someone else wants to). It would stand to reason that if the database was stored in some other directory (root for example) that is not publicly available, then the contents would NOT be visible simply by entering a url in a web browser. Again, I'm not that strong in this department, so by all means correct me if my thinking is off-base. Quote Link to comment Share on other sites More sharing options...
cmuskett Posted July 21, 2003 Share Posted July 21, 2003 I have my members.db saved in my locked folder. Quote Link to comment Share on other sites More sharing options...
Lianna Posted July 21, 2003 Share Posted July 21, 2003 Steve, you're right on. It does give you the opportunity to enter the path of the db. Surely this can be made more secure just through using correct path options. I just wanted people to be aware that the default locations (as pre-filled by LockedArea) are at risk. Post back here if you get any definitive suggestion for future users as to where the db file should be created. I'll try to tinker with some possibilities soon too. Quote Link to comment Share on other sites More sharing options...
stevevan Posted July 21, 2003 Author Share Posted July 21, 2003 FYI... I reinstalled Locked_Area and put the members.db in an area that should not be accessable to anyone except for the people who have access to cpanel: /home/username/dbsafe/members.db. I think this may solve the question of email addresses being available. Someone else may want to hack away and let me know if my thinking is on line. BTW...it works just fine installed like that, too! Quote Link to comment Share on other sites More sharing options...
Lianna Posted July 21, 2003 Share Posted July 21, 2003 YAY so it seems root placement does work? And that doesn't cause a problem during the registration/login process for members? Quote Link to comment Share on other sites More sharing options...
stevevan Posted July 21, 2003 Author Share Posted July 21, 2003 None that i've found so far! Quote Link to comment Share on other sites More sharing options...
idallen Posted July 22, 2003 Share Posted July 22, 2003 FYI... I reinstalled Locked_Area and put the members.db in an area that should not be accessable to anyone except for the people who have access to cpanel: /home/username/dbsafe/members.db. I think this may solve the question of email addresses being available. Someone else may want to hack away and let me know if my thinking is on line. It's only safe from web browsers. Anyone running PHP, or CGI, or shell scripts on the same server as you can read it. Web passwords only stop web browsers. They aren't good for security on shared hosts. Quote Link to comment Share on other sites More sharing options...
stevevan Posted July 22, 2003 Author Share Posted July 22, 2003 Thanks, idallen. More food for tho't. I guess it's just another way of keeping honest people honest. As I said before, I'm not totally up on these types of issues (but I'm learning quickly!). Thanks again! Quote Link to comment Share on other sites More sharing options...
malesims Posted December 26, 2004 Share Posted December 26, 2004 (edited) I use SmartFTP. It's uploading setup.cgi file as BINARY. Does anyone know how to change this in SmartFTP? EDIT: I looked at the SmartFTP FAQ files. I found the answer. So, nevermind! Edited December 26, 2004 by malesims Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.