#1
  1. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2001
    Location
    USA
    Posts
    830
    Rep Power
    14

    Password protecting a website


    Hi,

    I work at a website design company. We are currently developing a site that requires a password-protected Member section. A site done at this company before I started working here has a page that is password protected in theis manner: The page is a ColdFusion template with an HTML form that requires you to enter a username and password. The username and password are checked by querying a database that contains the usernames and passwords. If the the username and password entered in the form match both fields in a given record in the database, the template writes a cookie on the client machine and allows them to continue to browse the site. Is this a secure way of implementing password protection? All of the information I have seen regarding this talks about HTTP Authentication, which is obviously not employed in this scheme. Any information appreciated, thanks.
  2. #2
  3. No Profile Picture
    MMMM...Brains....
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Posts
    467
    Rep Power
    14

    htaccess?


    You could use htaccess. For how-to and info, goto
    http://www.perlaccess.com/tutorials/8/8.3.html
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2001
    Location
    USA
    Posts
    830
    Rep Power
    14

    Password protecting a website


    Yoey-

    Thanks for your post, but I think you missed the point of my problem -- I guess I should have explained the situation in greater detail...

    At the company I work at, we have been developing sites with ColdFusion and Access and everything has been hosted on an NT server accordingly. Now we are doing a site that requires a password protected members area, but my boss wants to keep using ColdFusion and Access. I did some research on the password protection issue and everything was telling me that I needed to be on a Unix system and use HTTP Basic Authentication, as you suggested. When I told my boss about this he told me that he already had a site with password protection, hosted on his NT server.

    So I took a look at what he was talking about and I'll describe it now in a little more detail. There is a page on the site, a ColdFusion template, with a textbox for username and one for password. You type in your username and password and click submit, then the template queries and Access database containing usernames and passwords. The SQL statement that forms the query has a WHERE clause that says WHERE username = form.username AND password = form.password, so if the user types in a valid username and password a record is returned by the query. There is then code in the template that tests to see if a record was returned; if there is, it sets a cookie on the user's machine and allows them to continue browsing; if a record is not returned, indicating that the user did not enter a username and password that are in the database, they are redirected. My question was: is that scheme secure?
  6. #4
  7. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    SE
    Posts
    28
    Rep Power
    0

    Re: Password protecting a website


    Originally posted by JMM
    Yoey-

    . My question was: is that scheme secure?
    If You use a diagram to encrypt the password in the coockies then it should be secure... at least 99%....
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2001
    Location
    USA
    Posts
    830
    Rep Power
    14

    Password protecting a website


    feha,

    thanks for replying. This may be a stupid question, but what do you mean by "a diagram"?
  10. #6
  11. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    SE
    Posts
    28
    Rep Power
    0
    Sorry I meant ALGORITHM...
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2001
    Location
    USA
    Posts
    830
    Rep Power
    14

    Password protection


    Ok, got you.

IMN logo majestic logo threadwatch logo seochat tools logo