?
Solved

Password Protecting Some Text and Not Others

Posted on 2005-02-25
3
Medium Priority
?
226 Views
Last Modified: 2010-04-17
Hello everyone,

I have a very simple website that looks like this:

When a user clicks on a link, the link loads a user control and has a parameter that tells the user control what text it should get from the WebPages table of the database. Some of the text needs to be password protected (accessible to only a few users) and the rest can be accessible to anyone.

I plan to add a “Security” column to the WebPages table that indicates whether the page is password protected (1) or not (0). Whenever the user control loads a new page it’ll check if the “Security” column contains a 1 or a 0. If it contains a 1, the user control will check to make sure the user is logged in by looking for a cookie. If no cookie is present, it’ll redirect that user to the login page.

Is this the most efficient way to go about this or is there a more efficient or easier way?

I'm new to .NET programming so please make your response fairly detailed.

Thank you,

Daniel
0
Comment
Question by:ltdanp21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Assisted Solution

by:cybertopia
cybertopia earned 400 total points
ID: 13408317
I don't know how secure you need this page to be, but if it is really password protected using something such as HTTPs, the bottom will have the pad lock.  One problem is that someone could just add a parameter like securty=1 and make it look password protected even though it is not.  Also, someone might make their own cookie and fill in the security = 1, then gain access to password protected content.

You might be able to make a MD5 password hash.  Then when they log onto your server, it will check this password and run it as a parameter.  If it is valid (same as the one stored on your computer), then it will secure the connection and say password protected.

hope this helps.
0
 
LVL 24

Assisted Solution

by:SunBow
SunBow earned 800 total points
ID: 13408920
To keep it secure, first keep it physically separate, separate server, directory etc.
The complete screen can be from a merging of sources later, or .... even stored that way (merged)

> Is this the most efficient way to go about this or is there a more efficient or easier way?

If you are plying cookies, I suspect a potential problem with managing the duration of a pseudo 'login' validating user (without requiring a new password every click).  These need to be timed out (or suffer a hijacking).

If you segregate the secured too much from unsecured, the timer will expire too soon if the user get a lot of insecure hits in a row.  This may be livable, if perhaps, it is ok for them to re-enter every, what, 15 minutes or so?

The problem is the timeout, which may be only refreshed from the requests for secure pages.  So you may want to identify them once as being password required, then treat them always as separate from the anonymous users.

Of couse if you have hundreds of separate authorizations levels  or permission levels, this would also end up too tedious.

I'd rather have two separate sytems (secure, insecure) and move (make copy) the insecure pieces to the secured server, than wonder too much about tracking an approved person when they are not needing secure services.   Volume could be a consideration, too.
0
 
LVL 10

Accepted Solution

by:
Andrew Beers earned 800 total points
ID: 13409271
Ok, my suggestion would be this:

Check for your cookie when your main page loads..  If the cookie exists send it to a PhP script (Don't worry PhP is the easiest laguage to learn in the world and it is the most versatile next to java) the code for sending your cookie to a php script would be as simple as...

window.location="./login.php?a="+cookieString;

within the login.php script you need to do a few things...

at the top of the page start your session:
<?
  session_start();

  //Next you need to parse your cookie string to get your user field and password fields this can be done using a split
  //Next step is to execute your query and get the users permissions once you have this:

  $_SESSION["permissions"] = $queryResult;
  $_SESSION["user"]=$aUser;
  $_SESSION["pass"]=$aPass;

  //If you need tips on the parsing or database management from php feel free to ask
?>

Doing the session you don't need to re-execute a query with every page you visit and it is much more secure than parsing a cookie constantly.  The session variables are accessable to any script called after the initial session is set.

Also for your Secure field you should do something of the following sort if using multiple user groups:
NotSecure = 0;
UserGroup1 = 1;
UserGroup2 = 2;
UserGroup3 = 4;
UserGroup4 = 8;
UserGroup5 = 16;

Doing this binary flag operator to get an integer value you can set multiple user groups and store it in a single column by adding the groups that have access together and storing the integer.  This is reversed by if the number is <16 than Group5 does not have access, fi the number is <8 Group4 doesn't have access... and so on.. It is easy to figure out but if you have problems I can help out if you ask.

Then all you need is an additional user / user group table to store permission values.

Thus you check the access session variable if a page is protected to see if the current user has authorization to view that html file.

Hope this helped a little more,
Aqua
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question