Jump to content

Recommended Posts

This is nonsensical.

 

What are you trying to do? Is this some kind of homegrown CAPTCHA to stop bots? Then you should instead use a professional CAPTCHA (like Google's reCAPTCHA) together with PHP sessions. The session will keep the user “logged in” after they've solved the CAPTCHA. Or are you trying to authenticate users? Then you should instead implement a proper authentication system (e. g. password-based Basic Authentication).

 

Whitelisting client IPs is usually a very bad idea, especially when you just pile them up in some poor man's database. Client IPs are constantly reused and shared, sometimes among thousands of unrelated users. If you keep adding those IPs to your “whitelist”, you'll quickly end up whitelisting half of the Internet population.

Link to comment
https://forums.phpfreaks.com/topic/300035-create-a-php-page/#findComment-1528719
Share on other sites

This is nonsensical.

 

What are you trying to do? Is this some kind of homegrown CAPTCHA to stop bots? Then you should instead use a professional CAPTCHA (like Google's reCAPTCHA) together with PHP sessions. The session will keep the user “logged in” after they've solved the CAPTCHA. Or are you trying to authenticate users? Then you should instead implement a proper authentication system (e. g. password-based Basic Authentication).

 

Whitelisting client IPs is usually a very bad idea, especially when you just pile them up in some poor man's database. Client IPs are constantly reused and shared, sometimes among thousands of unrelated users. If you keep adding those IPs to your “whitelist”, you'll quickly end up whitelisting half of the Internet population.

No. the point of using this is to allow only several people to access that page, so they will get access again if their IP changes.

Lets say I have a admincp control panel, I only want 3 people to access that panel so I tell them to go into this page (which is the .php page), once they complete the verification they will be granted access to the admincp (by automatically adding their IP to the whitelist) I find this useful because instead of me adding their IPs manually they can just do it from that page.

Edited by araleush
Link to comment
https://forums.phpfreaks.com/topic/300035-create-a-php-page/#findComment-1528729
Share on other sites

No. the point of using this is to allow only several people to access that page, so they will get access again if their IP changes.

Lets say I have a admincp control panel, I only want 3 people to access that panel so I tell them to go into this page (which is the .php page), once they complete the verification they will be granted access to the admincp (by automatically adding their IP to the whitelist) I find this useful because instead of me adding their IPs manually they can just do it from that page.

 

Obfuscation is not a valid form of security. If you want to prevent unauthorized users from accessing the admin page, then implement an authentication mechanism.

Link to comment
https://forums.phpfreaks.com/topic/300035-create-a-php-page/#findComment-1528731
Share on other sites

Obfuscation is not a valid form of security. If you want to prevent unauthorized users from accessing the admin page, then implement an authentication mechanism.

In this case the admin CP already has an authentication mechanism, this is just to double up the security.

Nvm I got what I wanted in some way..

this: http://stackoverflow.com/questions/25344715/programmatically-add-ip-address-to-htaccess-file-from-mysql-table-and-block-use

Edited by araleush
Link to comment
https://forums.phpfreaks.com/topic/300035-create-a-php-page/#findComment-1528732
Share on other sites

What makes you think your admin panel is more secure now?

 

The IP whitelist you've proposed is extremely poor (as it's based on the naive assumption that one IP address equals one person), and the implementation is even worse. Of course you might say that it's still better than nothing, but that's not the case. This .htaccess hack only gives you a false sense of security and distracts you from the real solutions.

 

You want to protect the admin panel?

  • Force the admins to use purely random passwords which are stored in a password manager like KeePass. If the passwords are sufficiently long (e. g. 32 hexadecimal characters), they're effectively immune to many attacks.
  • Make sure you use a strong password hash algorithm like bcrypt.
  • For even more security, consider using public-key authentication via TLS instead of password-based authentication. This requires some technical knowledge, though.
  • Double-check your code for common security vulnerabilities (especially cross-site scripting, SQL injections and cross-site request forgery).

Unlike your homegrown IP stuff, those features actually work and have proven themselves in practice many times.

Link to comment
https://forums.phpfreaks.com/topic/300035-create-a-php-page/#findComment-1528765
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.