PDA

View Full Version : Login/Website/Database Security



GL&HF
07-11-2006, 10:39 AM
I want to learn how to make a very secure website with info available only to people who have permision to access the page.
So a few questions:

1.)
Can I hide my db so that i can be accessed ONLY by asp scripts? If no then:
Is password protecting the database, hashing passwords and making long and complicated database names (like alphabets and numbers is weird combinations) enough to protect the database?

2.) In firefox, When i open Tools > Page Info > Security it says "Information sent over the internet without encryption can be seen by other people while it is in transit." How do i encrypt data sent to my page/site?

3.) This is an idea please tell me if u see any flaws in it.
If a user wants to be remebered on a computer i can add a cookie with his/her username and a code(GUID).in the database store the code(GUID) with his/her username and password. Every time he/she opens a page check the code with the username and delete the GUID(both cookie and in the database) and add another GUID(again db and cookie). This will make sure his/her code cant be stolen so that someone can add the same cookie to their comp and access his/her account.
Would this work?

Can i do more to protect my site?
Thanks in adv.

Twey
07-11-2006, 03:13 PM
Can I hide my db so that i can be accessed ONLY by asp scripts? If no then:
Is password protecting the database, hashing passwords and making long and complicated database names (like alphabets and numbers is weird combinations) enough to protect the database?Not quite, but you can set it to be only accessible from 127.0.0.1 (the same machine it's running on). That and a password are quite adequate.
2.) In firefox, When i open Tools > Page Info > Security it says "Information sent over the internet without encryption can be seen by other people while it is in transit." How do i encrypt data sent to my page/site?That's a long and complex process. Here are HOWTOs for Apache on *n?x (http://www.vanemery.com/Linux/Apache/apache-SSL.html) and *n?x and Windows (http://raibledesigns.com/wiki/Wiki.jsp?page=ApacheSSL) (less detailed).
3.) This is an idea please tell me if u see any flaws in it.
If a user wants to be remebered on a computer i can add a cookie with his/her username and a code(GUID).in the database store the code(GUID) with his/her username and password. Every time he/she opens a page check the code with the username and delete the GUID(both cookie and in the database) and add another GUID(again db and cookie). This will make sure his/her code cant be stolen so that someone can add the same cookie to their comp and access his/her account.No, I don't see any huge flaws in it. Might be a bit of a strain on the server, though, if you have many users.