HI
I wanted to add a password protected page to a site where customers can log in and download technical pdf files. I wondered what would be the best method to do this, and any advice in how to do it would be great please.
Best isn't very clear in these circumstances. The simplest/easiest method is to use HTTP basic access authentication. The most secure is probably to use an HTTPS/SSL along with some server side authentication or to only allow access if an authenticated VPN connection has been made.
You have to decide the actual security requirements to determine what should be implemented.
If the documents really should be secure, don't mess about - do your own research to familiarise yourself with different systems and terminology and then get in touch with someone with real expertise in this field. The familiarisation should be sufficient so that you can tell if the "expert" really does know what they are doing.
If you are just looking for something to put some barrier in the way of public access and you are willing to accept that the data is not really secured from someone with a little knowledge and some access, then HTTP basic access authentication is probably sufficient. If you're webserver is apache, its really easy to add - most web hosts include it in their control panels. I've never had to bother implementing it on other servers so I can't comment on whether or not they have the capability or if they do, how easy or difficult it is to implement.
Many thanks for the advice. I will have to confirm just how secure/private the information is that my customer wants to restrict access to. As far as I understand it, reports will be made available for his clients and they can download them from the web, if hosted somewhere sufficiently secure. I ad thought initially that .htaccess might be the way to go, but haven't had any experience in doing that so far.
.htaccess normally means http basic access authentication. Its handled in plain text, which means anyone who is able to see the network traffic is able to see the username and password.
Moderator
Posts: 5624
Joined: 2005-02-22
Best isn't very clear in
Posted: Mon, 2008-07-07 23:23
Best isn't very clear in these circumstances. The simplest/easiest method is to use HTTP basic access authentication. The most secure is probably to use an HTTPS/SSL along with some server side authentication or to only allow access if an authenticated VPN connection has been made.
You have to decide the actual security requirements to determine what should be implemented.
If the documents really should be secure, don't mess about - do your own research to familiarise yourself with different systems and terminology and then get in touch with someone with real expertise in this field. The familiarisation should be sufficient so that you can tell if the "expert" really does know what they are doing.
If you are just looking for something to put some barrier in the way of public access and you are willing to accept that the data is not really secured from someone with a little knowledge and some access, then HTTP basic access authentication is probably sufficient. If you're webserver is apache, its really easy to add - most web hosts include it in their control panels. I've never had to bother implementing it on other servers so I can't comment on whether or not they have the capability or if they do, how easy or difficult it is to implement.
On Having Layout | The One True Layout | menus by listamatic
Enthusiast
Posts: 113
Joined: 2005-03-17
Many thanks for the advice.
Posted: Tue, 2008-07-08 19:14
Many thanks for the advice. I will have to confirm just how secure/private the information is that my customer wants to restrict access to. As far as I understand it, reports will be made available for his clients and they can download them from the web, if hosted somewhere sufficiently secure. I ad thought initially that .htaccess might be the way to go, but haven't had any experience in doing that so far.
Cheers
Andy
Moderator
Posts: 5624
Joined: 2005-02-22
.htaccess normally means
Posted: Tue, 2008-07-08 22:03
.htaccess normally means http basic access authentication. Its handled in plain text, which means anyone who is able to see the network traffic is able to see the username and password.
On Having Layout | The One True Layout | menus by listamatic