Re: Digest Authentication [message #179915 is a reply to message #179913] |
Wed, 19 December 2012 02:08 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 12/18/2012 8:55 PM, xkit wrote:
> On Dec 13, 8:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> On 12/13/2012 7:49 PM, dhtmlkitc...@gmail.com wrote:
>>
>>> I am trying to implement a password protected area of a site. I have never done this before.
>
> [...]
>
>> One other point - this is NOT a very good script. For instance, you
>> should NEVER use die() on a production system, especially for a
>> non-critical error. die() terminates processing of the page
>> immediately, resulting in invalid HTML at the browser.
>>
> Wow, you're right!
>
> Should I use `echo`?
>
> When testing locally, after once entering wrong credentials, I
> continue to get
> `die('Wrong Credentials!');` and am given no opportunity to enter
> correct credentials.
>
>
> 1. click "cancel"
> 2. reload.
> 3. enter wrong credentials and click "login"
> 4. reload.
>
> Desired result:
> Prompt for login credentials.
>
> Actual result:
> "Wrong Credentials!"
>
> Is PHP_AUTH_DIGEST set automatically? And how and where in the script?
> Also, what should I look for in print_r()?
>
>> Additionally, I think a very low percentage of PHP sites use such
>> authentication. Most have their own login page (using https protocol).
>
> I'm not sure if we can do https here (it's a small, low budget project
> on Yahoo Small Business). For our app, we'll use a PayPal IPN of $1 to
> access the area of the site, and we're not worried MIM attack to get
> free access. I convinced the site owner to use a managed, password-
> protected area the site, in favor of password protecting the zip file
> and zipping up the site contents and giving a "hidden" URL.
>
> If HTTPS isn't in budget, I'll try to amend the linked digest script.
>
> If I'm on the wrong track, please advise other strategies for this
> simple app.
>
> Thank you,
> --
> Garrett
>
If you're doing ecommerce (even if you're using Paypal), you NEED to use
https. Otherwise your site is NOT secure. It is too easy to intercept
the data being entered - i.e. someone using a wireless hot spot, on a
cable modem at home or any of a couple of dozen other connections will
easily allow a hacker to get everything he/she wants.
And if your site is hacked, the cost of NOT using it is much, much
higher than the cost of using it. If you can't afford it, you can't
afford the site.
Read M. Strobel's post. And if you're not familiar with creating a
secure site, hire someone who is. This is not a job for a beginner.
And BTW - giving a "hidden URL" is no security at all.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|