I need help w/ securing a website - Tilted Forum Project Discussion Community

zero2 · 11-02-2003, 04:42 PM

I have a website, and I need to have some sort of way of protecting it's content.

It's sort of like you need to be a regestered member of a group or forum in order to access information on the website.

It needs to have a login and password page, and it needs to be able to log in ip address so that multiple users cannot use the same password and login. The files also need to be password protected too, so that it is not possible to download a file if they don't have a password.

I know it sounds a little extreme, but I really think I need these features.

So how would I go about this, what would I need to research in order to implement this?

BoCo · 11-02-2003, 04:50 PM

Your hosting company may have a user panel where you can do this; mine does. Email them and ask.

BoCo · 11-02-2003, 04:52 PM

I should add that if they don't offer these features, then go to Gigabean.com for your hosting. They're awesome, with tons of scripts, protections and other stuff you may find useful.

I have a package that gives me 500MB of space and 20GB bandwidth per month for only $13.95.

sailor · 11-04-2003, 10:41 AM

Yeah, what you are talking about basically is .htaccess controls. You need to find out if your host lets you do this. With a .htaccess file, you can password a directory, with as many or few users as you want, and everything in that directory is protected. Its basically that little popup window that you see in most sites that are password protected.

hrdwareguy · 11-04-2003, 11:26 AM

Like sailor said, you can use an htaccess file to keep the username and password in. But I'm sure we've all seen sites like that with username and passwords listed on crack sites.

Another approach would be to keep your login info in a database such as mySQL. Then using PHP, JSP, ASP, something like that, you could requre them to enter a username and password on the main page. Check this against the values in the database and if they match, you're in. Much harder to crack this than the htaccess file.

zero2 · 11-04-2003, 01:07 PM

I guess I should describe the problem, I have a website, with content that I want to protect. I posted my website on another forum with a link to this content which we'll call for ex. a collection of mp3s.

After doing that, I have found that my website is getting overloaded, with people trying to download my stuff.

I have even been told that people have come across my website in other forums too.

The material on the website was only meant for the members of the forum that I gave my link too, however, somehow my files are ending up on other forums.

Now because most people use download managers, it's easier to just post a direct link to the file instead of going to the website.

Which is why I need some sort of security. When I was thinking about security measures, the first thing that came to mind was how porn sites deal with security, while not perfect, at least it will keep some of the leechers away.

It sounds like htaccess is something that I should look into.

I just want to thank everyone for replying, I didn't really know where I would start looking up info for my problem, thanks again for your help BoCo, sailor420, and hrdwareguy.

seretogis · 11-04-2003, 02:02 PM

zero2: You can google "htaccess" for a ton of hits with different tutorials and such. For example, here's one:

http://www.freewebmasterhelp.com/tutorials/htaccess/

If you are unable to do this, or want a more comprehensive password protected system, check out: http://celerondude.com/index.php?a=s&id=1

The above linked is an "uploader script" which allows you to password-protect content and allow others (or just yourself) to up load through a web-form. It may or may not be what you're looking for.

arch13 · 11-04-2003, 03:54 PM

Also, there are several Php scripts that will controll directory access so that a link can only be downloaded by going to a front page first, thus defeating hotlinking.
StileProject is a good working example. They use dynamic directories and (i think) php that redirects direct file access requests to a front page. You could then password the front page and effectivley kill the bandwidth drain.

zero2 · 11-04-2003, 08:56 PM

With htaccess, suppose there was a mole at the site, as long as they have a valid username and password, wouldn't anyone who was given that username and password have access to my site and could direct link so long as they had valid username and password?

Lets say I made accounts for ex. Joe, Kate, Mary, and Todd.

Each of them have their own usernames and passwords.

Suppose Todd's ip address is 64.765.543.9 and his username is leech and password is leech.

Is it possible, when Todd logs in that his ip address gets loged in, into a database.

Now suppose Todd is the mole around the forum, and he decides to be a smart -@$$ and posts my website along w/ his username leech and password leech.

With htacess, is there a way of preventing this.

Like for instance is there a way where if for ex. Chi got the password and username from Todd, and his ip address is 10.12.456.89, when he tries to download, his ipaddress is checked against login and username in the database and the system locks him out, because it doesn't match Todd's ip address of 64.765.543.9.

If possible is it possible to make a username and password expire after the session is over, meaning after they logout or complete their download?

Once again, thanks for the advice seretogis and arch13, I've learned so much, at least now know what I'm facing in terms of solutions.

seretogis · 11-04-2003, 10:08 PM

You could do the above with PHP, or pay someone to do it for you.

Dilbert1234567 · 11-05-2003, 03:37 PM

Are you hosting it with IIS

If you are its simple

Open the IIS service and select the folder/file you want to protect

Right click and select properties

Select the tab file security or directory security

Hit edit on the anonymous access

Unselect anonymous access,

Then create a new account for your system that will be the account that you can give out.

Then tweak the security level of the new account till you like it. And you’re done.

11-02-2003, 04:42 PM	#1 (permalink)
zero2 Junkie	I need help w/ securing a website I have a website, and I need to have some sort of way of protecting it's content. It's sort of like you need to be a regestered member of a group or forum in order to access information on the website. It needs to have a login and password page, and it needs to be able to log in ip address so that multiple users cannot use the same password and login. The files also need to be password protected too, so that it is not possible to download a file if they don't have a password. I know it sounds a little extreme, but I really think I need these features. So how would I go about this, what would I need to research in order to implement this?

11-02-2003, 04:50 PM	#2 (permalink)
BoCo Fear the bunny Location: Hanging off the tip of the Right Wing	Your hosting company may have a user panel where you can do this; mine does. Email them and ask. __________________ Activism is a way for useless people to feel important.

11-02-2003, 04:52 PM	#3 (permalink)
BoCo Fear the bunny Location: Hanging off the tip of the Right Wing	I should add that if they don't offer these features, then go to Gigabean.com for your hosting. They're awesome, with tons of scripts, protections and other stuff you may find useful. I have a package that gives me 500MB of space and 20GB bandwidth per month for only $13.95. __________________ Activism is a way for useless people to feel important.

11-04-2003, 10:41 AM	#4 (permalink)
sailor beauty in the breakdown Location: Chapel Hill, NC	Yeah, what you are talking about basically is .htaccess controls. You need to find out if your host lets you do this. With a .htaccess file, you can password a directory, with as many or few users as you want, and everything in that directory is protected. Its basically that little popup window that you see in most sites that are password protected. __________________ "Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws." --Plato

11-04-2003, 11:26 AM	#5 (permalink)
hrdwareguy "Officer, I was in fear for my life" Location: Oklahoma City	Like sailor said, you can use an htaccess file to keep the username and password in. But I'm sure we've all seen sites like that with username and passwords listed on crack sites. Another approach would be to keep your login info in a database such as mySQL. Then using PHP, JSP, ASP, something like that, you could requre them to enter a username and password on the main page. Check this against the values in the database and if they match, you're in. Much harder to crack this than the htaccess file. __________________ Gun Control is hitting what you aim at Aim for the TFP, Donate Today

11-04-2003, 01:07 PM	#6 (permalink)
zero2 Junkie	I guess I should describe the problem, I have a website, with content that I want to protect. I posted my website on another forum with a link to this content which we'll call for ex. a collection of mp3s. After doing that, I have found that my website is getting overloaded, with people trying to download my stuff. I have even been told that people have come across my website in other forums too. The material on the website was only meant for the members of the forum that I gave my link too, however, somehow my files are ending up on other forums. Now because most people use download managers, it's easier to just post a direct link to the file instead of going to the website. Which is why I need some sort of security. When I was thinking about security measures, the first thing that came to mind was how porn sites deal with security, while not perfect, at least it will keep some of the leechers away. It sounds like htaccess is something that I should look into. I just want to thank everyone for replying, I didn't really know where I would start looking up info for my problem, thanks again for your help BoCo, sailor420, and hrdwareguy.

11-04-2003, 02:02 PM	#7 (permalink)
seretogis Huggles, sir? Location: Seattle	zero2: You can google "htaccess" for a ton of hits with different tutorials and such. For example, here's one: http://www.freewebmasterhelp.com/tutorials/htaccess/ If you are unable to do this, or want a more comprehensive password protected system, check out: http://celerondude.com/index.php?a=s&id=1 The above linked is an "uploader script" which allows you to password-protect content and allow others (or just yourself) to up load through a web-form. It may or may not be what you're looking for. __________________ seretogis - sieg heil perfect little dream the kind that hurts the most, forgot how it feels well almost no one to blame always the same, open my eyes wake up in flames

11-04-2003, 03:54 PM	#8 (permalink)
arch13 Loves my girl in thongs Location: North of Mexico, South of Canada	Also, there are several Php scripts that will controll directory access so that a link can only be downloaded by going to a front page first, thus defeating hotlinking. StileProject is a good working example. They use dynamic directories and (i think) php that redirects direct file access requests to a front page. You could then password the front page and effectivley kill the bandwidth drain. __________________ Seen on an employer evaluation: "The wheel is turning but the hamsters dead" ____________________________ Is arch13 really a porn diety ? find out after the film at 11. -Nanofever

11-04-2003, 08:56 PM	#9 (permalink)
zero2 Junkie	With htaccess, suppose there was a mole at the site, as long as they have a valid username and password, wouldn't anyone who was given that username and password have access to my site and could direct link so long as they had valid username and password? Lets say I made accounts for ex. Joe, Kate, Mary, and Todd. Each of them have their own usernames and passwords. Suppose Todd's ip address is 64.765.543.9 and his username is leech and password is leech. Is it possible, when Todd logs in that his ip address gets loged in, into a database. Now suppose Todd is the mole around the forum, and he decides to be a smart -@$$ and posts my website along w/ his username leech and password leech. With htacess, is there a way of preventing this. Like for instance is there a way where if for ex. Chi got the password and username from Todd, and his ip address is 10.12.456.89, when he tries to download, his ipaddress is checked against login and username in the database and the system locks him out, because it doesn't match Todd's ip address of 64.765.543.9. If possible is it possible to make a username and password expire after the session is over, meaning after they logout or complete their download? Once again, thanks for the advice seretogis and arch13, I've learned so much, at least now know what I'm facing in terms of solutions. Last edited by zero2; 11-04-2003 at 08:59 PM..

11-04-2003, 10:08 PM	#10 (permalink)
seretogis Huggles, sir? Location: Seattle	You could do the above with PHP, or pay someone to do it for you. __________________ seretogis - sieg heil perfect little dream the kind that hurts the most, forgot how it feels well almost no one to blame always the same, open my eyes wake up in flames

11-05-2003, 03:37 PM	#11 (permalink)
Dilbert1234567 Devils Cabana Boy Location: Central Coast CA	Are you hosting it with IIS If you are its simple Open the IIS service and select the folder/file you want to protect Right click and select properties Select the tab file security or directory security Hit edit on the anonymous access Unselect anonymous access, Then create a new account for your system that will be the account that you can give out. Then tweak the security level of the new account till you like it. And you’re done. __________________ Donate Blood! "Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen