Security:
Presently password is passed thru hidden form field.
Wouldn't it be better if we use sessions. This may be
done thru session cookies or doing it at our side.
Not many changes required even if we plan to do it at
our side:
Initially:
Make a temporaray directory for sessions. (One can
always use 'temp' directory, but should be writable by
server. One that is outside the web root should be
prefered)
Modify login/authorization section.
Wherever someone logins, new session is created (file
w/ the person's username as text, his ip and last
accessed time). Whenever a person views any page, last
accessed time is changed to the current time. Before
this is done we check:If the current time and last
accessed exceeds the session length (as set in default
config file) If it exceeds, delete sessions file and
hence ask the person to login again by simply passing
an expty value in sessionid.
We also check if the ip from where the person logged
in is same as the current ip for some added security.
When this is done, we delete all expired sessions
(that were created before CurrentTime-SessionLength).
We can make session files names based as
'LastAccessedTimeStamp.random.pl'
And we can simply pass the query to delete all
filenames less that current timestanp.
What will be needed to do this:
Add the SessionLength variable in the config.
Make a file 'some.pm' with all the above funtions.
Use it in administration files.
Call the function from appropriate places :)
Benefit:
Make the system far more secure than present. This
method seemed easiest to me from the few I thought.
Licensing:
I will have the link to RingLink on all pages but do
not wish to have the version number displayed. Why?
For some extra security. If a person knows which
version of RingLink it is, he might know exploit to
it. If he doesn't know what version it is, he will
have a harder time :)
Best Regards,
Jayant
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com