thenelson
asked on
secure email server / messaging system
I have an SSL account for my website. I have created a form on my website where our clients can send us a secure email through https. Is there an application, utility, coding or template where I could use my SSL website to send a client a secure message?
Something like: I send a client an email that states "You have a secure email at: barnwellmd.com/12345." The client clicks on barnwellmd.com/12345, enters a pre arranged password and can then view the message.
I don't want to have to set up a secure folder via .htaccess for each client.
I am familiar with websites that provide this service but would like to set it up on my website.
TIA
Something like: I send a client an email that states "You have a secure email at: barnwellmd.com/12345." The client clicks on barnwellmd.com/12345, enters a pre arranged password and can then view the message.
I don't want to have to set up a secure folder via .htaccess for each client.
I am familiar with websites that provide this service but would like to set it up on my website.
TIA
Dave Baldwin
I would use a database to store the messages. A simpler way that does not use 'htaccess' is to just make the code an query string like "http://barnwellmd.com/message.php?12345asdfgh1m2m3m" . PHP and MySQL have no trouble using long codes to identify and access info. You could also put the password in the database along with the message.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
DaveBaldwin,
I only have a few dozen messages a month so I think setting up a MySQL database might be overkill. I like the get idea.
Ray_Paseur,
I can see how this would work. I create an array with message# => password. The php script requests the password then displays the message stored in a .htaccess protected folder. Sounds easy.
I only have a few dozen messages a month so I think setting up a MySQL database might be overkill. I like the get idea.
Ray_Paseur,
I can see how this would work. I create an array with message# => password. The php script requests the password then displays the message stored in a .htaccess protected folder. Sounds easy.
setting up a MySQL database might be overkillProTip: It's never overkill; it's how web sites work best!
Then you must not be used to using databases. It would be far easier for me to use a database than to keep track of things the way you're describing. I probably have 99% of the code already written that I could clone to do it.
ASKER
I have started a php script so I can send an email as DaveBaldwin and Ray_Paseur suggested. The query string has the file name which is also the hashed password. I realize that the hashed password is now visible in an email and a clever person might figure out it is a hashed password but they would not know the formula I am using to create the hashed number.
I plan if the user enters the correct password, the script retrieves the file from a .htaccess protected folder and displays it.
Before I continue, I wanted to post the code I have so far and see if you all think it is reasonably secure. I will, of course, change the encryption formula before really using the script.
You can try the script by going to . The password for this would be "hello there".
DaveBaldwin,
Your example uses the query string:
?12345asdfgh1m2m3m
Can this be accessed with a get without the variable name and equal sign or was that an error?
Here is the code:
I plan if the user enters the correct password, the script retrieves the file from a .htaccess protected folder and displays it.
Before I continue, I wanted to post the code I have so far and see if you all think it is reasonably secure. I will, of course, change the encryption formula before really using the script.
You can try the script by going to . The password for this would be "hello there".
DaveBaldwin,
Your example uses the query string:
?12345asdfgh1m2m3m
Can this be accessed with a get without the variable name and equal sign or was that an error?
Here is the code:
<?php
session_start();
//get file name
$_SESSION['filename'] = $_GET["q"];
//get hashed password
if (!empty($_POST))
// WE HAVE GOT SOMETHING IN $_POST - RUN THE ACTION SCRIPT
{
// THERE IS POST DATA - PROCESS IT
// ACTIVATE THESE TWO LINES TO SEE WHAT IS COMING THROUGH
//echo "<pre>"; var_dump($_FILES); var_dump($_POST); echo "</pre>\n"; echo "filename: " . $_SESSION['filename']; echo "<br/>\n";
echo "password: ".$_POST["password"]."<br/>\nhashed password: ".encrypt($_POST["password"])."<br/>\n";
$temp = explode(".", $_SESSION['filename']);
if ($temp[0] != encrypt($_POST["password"]))
{
post_password_form("Incorrect password - try again");
}
else
{
echo "correct password!";
}
}
else
{
// IF THERE IS NOTHING IN $_POST, REQUEST THE PASSWORD
post_password_form(" ");
}
//function to create the password request webpage
function post_password_form($linetext)
{
?>
<body bgcolor="#F4F4F4">
<form method="post">
<table style="width: 764px; height: 84px;" border="0" cellpadding="0" cellspacing="0">
<tr valign="middle">
<td style="width: 98px; vertical-align: middle;" background="img/toplogobg.jpg">
<img src="img/No%20ouch%20transparent%20background.png" style="border: 0px solid ; width: 88px; height: 81px;" alt="">
</td>
<td style="font-weight: bold; width: 552px; vertical-align: middle;" background="img/toplogobg.jpg">
<span style="color: white; font-style: italic;">
<big>Jane
Barnwell, MD</big><small><br>
<br>
</small>Manage the cause<br>
to manage the pain.</span>
</td>
</tr>
<tr>
<td colspan="2" align="center"><font size="5">Secure messaging system</font></td>
</tr>
<tr>
<td colspan="2" align="center"><b><font size="3" color="red"><?php echo $linetext; ?></font></b></td>
</tr>
<tr valign="middle">
<td colspan="2" align="center">
<big>Enter your password: </big>
<input size="30" maxlength="30" name="password" type="password">
<input value="Submit" type="submit">
</td>
</tr>
</table>
</form>
</body>
<?php
}
//function to encrypt the password
function encrypt($value)
{
//place the encryption formula behind return
return md5(md5($value)+375896);
}
That was just a generic suggestion. There are a lot of things you can do with the 'Rewrite Engine' in htaccess.
Other than that, I would not do what you are trying to do.
Other than that, I would not do what you are trying to do.
ASKER
So you present to me several more questions:
I Googled "Rewrite Engine" and don't know much more about it than when you just mentioned it (which is nothing). What does the term "Rewrite Engine" have to do with my quesiton?
>I would not do what you are trying to do.
Why not?
>I would not do what you are trying to do.
What would you do and why would it be better?
I have frequently done things because I didn't know any better and when I got done have had more experienced people tell me that is really cleaver and nicely done..
I Googled "Rewrite Engine" and don't know much more about it than when you just mentioned it (which is nothing). What does the term "Rewrite Engine" have to do with my quesiton?
>I would not do what you are trying to do.
Why not?
>I would not do what you are trying to do.
What would you do and why would it be better?
I have frequently done things because I didn't know any better and when I got done have had more experienced people tell me that is really cleaver and nicely done..
"Rewrite Engine" is the 'engine' that rewrites URLs in Apache from one form to another, usually used in your '.htaccess' file.
I would put all the data, messages, and hashed passwords in a database. Then send the user a message asking them to login in with their pre-arranged username and password. A properly setup database will take care of the organization and be easily accessed with your code. And it would relieve you of having "to set up a secure folder via .htaccess for each client". Each message would occupy a single row in the database along with the password and whatever id code you required. I would make the message id code as long as practical to minimize the chance of someone guessing it along with making the passwords strong.
I would put all the data, messages, and hashed passwords in a database. Then send the user a message asking them to login in with their pre-arranged username and password. A properly setup database will take care of the organization and be easily accessed with your code. And it would relieve you of having "to set up a secure folder via .htaccess for each client". Each message would occupy a single row in the database along with the password and whatever id code you required. I would make the message id code as long as practical to minimize the chance of someone guessing it along with making the passwords strong.
ASKER
I have expanded my script to display a text message, a pdf document or a Word document. . The script allows me to store all the messages/files in one secured folder - no need "to set up a secure folder via .htaccess for each client".
Here is a sample: https://barnwellmd.com/mes
The password for the sample is "hello there".
I am planning to add code to the script that will allow me to create the message or upload a file which will then automatically store it and send a notification to the other person. Also a text box where the other person can send a secure reply.
Here is a sample: https://barnwellmd.com/mes
The password for the sample is "hello there".
I am planning to add code to the script that will allow me to create the message or upload a file which will then automatically store it and send a notification to the other person. Also a text box where the other person can send a secure reply.
ASKER
DaveBaldwin,
>I probably have 99% of the code already written that I could clone to do it.
Would you be willing to share the code?
>I probably have 99% of the code already written that I could clone to do it.
Would you be willing to share the code?
Well no because that would make me responsible for it and I don't have the time or interest. There are a lot of scripts for similar things.