SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Evangelist N9ne's Avatar
    Join Date
    Aug 2002
    Location
    UK
    Posts
    596
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    User Access Control: Suggestions?

    I'm creating a website which will have various pages/functionality/information (PHP & MySQL) which is restricted based on who is viewing it. It is relevant to the employees of my organisation, but they will be based around the world. Security is paramount so I am trying to find ways to ensure unauthorised access is minimised. It will have the following security levels/features:

    - User access control. Unregistered users have no access.
    - Users are placed into usergroups. Usergroups are assigned permissions based on various pages/actions.
    - There will be an Admin usergroup which cannot be edited by non-admins. Some permissions will also be restricted to this usergroup.
    - There will be a superadmin who cannot be edited by anyone else regardless of admin status.
    - all actions that impact the database are logged with IP, time, user info


    Login page

    - md5 or sha1 encryption on passwords and combination with 'salt' from user's database entry.
    - access is controlled via session hashes.
    - 10 failed logins -> blocked for x hours
    - failed logins are logged & emailed to predetermined users' email addresses
    - all successful logins are also monitored. If the geographical location of the login differs from the previous login on the same account, this is flagged and emailed.


    Now the problem I'm having is if someone gets hold of someone else's password, there's not much else that I can do. The security stops there. What I'm looking for is further security steps in front of this.

    One idea I have is a daily, random, "global" password in addition to user account passwords. This will be generated everyday (say at 2am) and emailed to "supervisors" who will actually meet or are in regular contact with people likely to use the website/system. That way, even if someone gets hold of someone's password, without knowing that day's global password, they won't be able to get in. This means any potential unauthorised entry will require knowing someone in the organisation who has the global password and is willing to give it over.

    I could also check if the same account logs in from different geo locations in the same x hours/day.

    Perhaps even more stringent security would be that upon registration of a user, they have to register their access points which binds their account to certain IPs.

    Does anyone have any tips on hardening security? I don't mind ideas which are a little inconvenient for the users, because they are employees of an organisation so they don't require so much flexibility in access.

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    If your employees travel, binding their account to an IP address is a failure waiting to happen, so don't go thinking about that until you're confident that your method is foolproof. Also static IPs aren't always viable, so even someone sitting at the same desk might have different IP addresses from day to day.

    The global password could be sent out via SMS rather than requiring people to meet up daily - that prevents problems due to incompetence.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Evangelist N9ne's Avatar
    Join Date
    Aug 2002
    Location
    UK
    Posts
    596
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nice idea on the SMS. Definitely something I'll look into.

    Re: travelling employees, I think I will have to think about this one. In most cases, employees will not travel. It will only be the senior management that will be travelling.

    This has got me thinking about online banking security. Those little keypads that they give out - I wonder how costly these might be? A cheap solution to generate codes that match up might be worth considering too. This will alleviate the travelling problem somewhat.

  4. #4
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,496
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by N9ne View Post
    This has got me thinking about online banking security. Those little keypads that they give out - I wonder how costly these might be? A cheap solution to generate codes that match up might be worth considering too. This will alleviate the travelling problem somewhat.
    Nowadays banks don't use those little keypads anymore (my bank still does, actually, but they're 10 years behind all others ), they send those codes in a SMS. Much more convenient, no need to bring extra stuff with you, your cell phone is enough.

  5. #5
    SitePoint Evangelist N9ne's Avatar
    Join Date
    Aug 2002
    Location
    UK
    Posts
    596
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by guido2004 View Post
    Nowadays banks don't use those little keypads anymore (my bank still does, actually, but they're 10 years behind all others ), they send those codes in a SMS. Much more convenient, no need to bring extra stuff with you, your cell phone is enough.
    Really? It sounds like you're not in the UK then because most banks seem to still use those pesky card readers still!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •