Password Protecting Some Text and Not Others

Posted on 2005-02-25
Medium Priority
Last Modified: 2010-04-17
Hello everyone,

I have a very simple website that looks like this:

When a user clicks on a link, the link loads a user control and has a parameter that tells the user control what text it should get from the WebPages table of the database. Some of the text needs to be password protected (accessible to only a few users) and the rest can be accessible to anyone.

I plan to add a “Security” column to the WebPages table that indicates whether the page is password protected (1) or not (0). Whenever the user control loads a new page it’ll check if the “Security” column contains a 1 or a 0. If it contains a 1, the user control will check to make sure the user is logged in by looking for a cookie. If no cookie is present, it’ll redirect that user to the login page.

Is this the most efficient way to go about this or is there a more efficient or easier way?

I'm new to .NET programming so please make your response fairly detailed.

Thank you,

Question by:ltdanp21

Assisted Solution

cybertopia earned 400 total points
ID: 13408317
I don't know how secure you need this page to be, but if it is really password protected using something such as HTTPs, the bottom will have the pad lock.  One problem is that someone could just add a parameter like securty=1 and make it look password protected even though it is not.  Also, someone might make their own cookie and fill in the security = 1, then gain access to password protected content.

You might be able to make a MD5 password hash.  Then when they log onto your server, it will check this password and run it as a parameter.  If it is valid (same as the one stored on your computer), then it will secure the connection and say password protected.

hope this helps.
LVL 24

Assisted Solution

SunBow earned 800 total points
ID: 13408920
To keep it secure, first keep it physically separate, separate server, directory etc.
The complete screen can be from a merging of sources later, or .... even stored that way (merged)

> Is this the most efficient way to go about this or is there a more efficient or easier way?

If you are plying cookies, I suspect a potential problem with managing the duration of a pseudo 'login' validating user (without requiring a new password every click).  These need to be timed out (or suffer a hijacking).

If you segregate the secured too much from unsecured, the timer will expire too soon if the user get a lot of insecure hits in a row.  This may be livable, if perhaps, it is ok for them to re-enter every, what, 15 minutes or so?

The problem is the timeout, which may be only refreshed from the requests for secure pages.  So you may want to identify them once as being password required, then treat them always as separate from the anonymous users.

Of couse if you have hundreds of separate authorizations levels  or permission levels, this would also end up too tedious.

I'd rather have two separate sytems (secure, insecure) and move (make copy) the insecure pieces to the secured server, than wonder too much about tracking an approved person when they are not needing secure services.   Volume could be a consideration, too.
LVL 10

Accepted Solution

Andrew Beers earned 800 total points
ID: 13409271
Ok, my suggestion would be this:

Check for your cookie when your main page loads..  If the cookie exists send it to a PhP script (Don't worry PhP is the easiest laguage to learn in the world and it is the most versatile next to java) the code for sending your cookie to a php script would be as simple as...


within the login.php script you need to do a few things...

at the top of the page start your session:

  //Next you need to parse your cookie string to get your user field and password fields this can be done using a split
  //Next step is to execute your query and get the users permissions once you have this:

  $_SESSION["permissions"] = $queryResult;

  //If you need tips on the parsing or database management from php feel free to ask

Doing the session you don't need to re-execute a query with every page you visit and it is much more secure than parsing a cookie constantly.  The session variables are accessable to any script called after the initial session is set.

Also for your Secure field you should do something of the following sort if using multiple user groups:
NotSecure = 0;
UserGroup1 = 1;
UserGroup2 = 2;
UserGroup3 = 4;
UserGroup4 = 8;
UserGroup5 = 16;

Doing this binary flag operator to get an integer value you can set multiple user groups and store it in a single column by adding the groups that have access together and storing the integer.  This is reversed by if the number is <16 than Group5 does not have access, fi the number is <8 Group4 doesn't have access... and so on.. It is easy to figure out but if you have problems I can help out if you ask.

Then all you need is an additional user / user group table to store permission values.

Thus you check the access session variable if a page is protected to see if the current user has authorization to view that html file.

Hope this helped a little more,

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Screencast - Getting to Know the Pipeline

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question