araleush Posted December 28, 2015 Share Posted December 28, 2015 Hello, I'd want to create a page that will be like a random question and you will have to type the right answer, once you click on "submit" and you're right your IP will be added to the .htaccess file that I have (in order to whitelist the IP)Is this hard to do? thanks Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 28, 2015 Share Posted December 28, 2015 This is nonsensical. What are you trying to do? Is this some kind of homegrown CAPTCHA to stop bots? Then you should instead use a professional CAPTCHA (like Google's reCAPTCHA) together with PHP sessions. The session will keep the user “logged in” after they've solved the CAPTCHA. Or are you trying to authenticate users? Then you should instead implement a proper authentication system (e. g. password-based Basic Authentication). Whitelisting client IPs is usually a very bad idea, especially when you just pile them up in some poor man's database. Client IPs are constantly reused and shared, sometimes among thousands of unrelated users. If you keep adding those IPs to your “whitelist”, you'll quickly end up whitelisting half of the Internet population. Quote Link to comment Share on other sites More sharing options...
araleush Posted December 28, 2015 Author Share Posted December 28, 2015 (edited) This is nonsensical. What are you trying to do? Is this some kind of homegrown CAPTCHA to stop bots? Then you should instead use a professional CAPTCHA (like Google's reCAPTCHA) together with PHP sessions. The session will keep the user “logged in” after they've solved the CAPTCHA. Or are you trying to authenticate users? Then you should instead implement a proper authentication system (e. g. password-based Basic Authentication). Whitelisting client IPs is usually a very bad idea, especially when you just pile them up in some poor man's database. Client IPs are constantly reused and shared, sometimes among thousands of unrelated users. If you keep adding those IPs to your “whitelist”, you'll quickly end up whitelisting half of the Internet population. No. the point of using this is to allow only several people to access that page, so they will get access again if their IP changes. Lets say I have a admincp control panel, I only want 3 people to access that panel so I tell them to go into this page (which is the .php page), once they complete the verification they will be granted access to the admincp (by automatically adding their IP to the whitelist) I find this useful because instead of me adding their IPs manually they can just do it from that page. Edited December 28, 2015 by araleush Quote Link to comment Share on other sites More sharing options...
Psycho Posted December 28, 2015 Share Posted December 28, 2015 No. the point of using this is to allow only several people to access that page, so they will get access again if their IP changes. Lets say I have a admincp control panel, I only want 3 people to access that panel so I tell them to go into this page (which is the .php page), once they complete the verification they will be granted access to the admincp (by automatically adding their IP to the whitelist) I find this useful because instead of me adding their IPs manually they can just do it from that page. Obfuscation is not a valid form of security. If you want to prevent unauthorized users from accessing the admin page, then implement an authentication mechanism. Quote Link to comment Share on other sites More sharing options...
araleush Posted December 28, 2015 Author Share Posted December 28, 2015 (edited) Obfuscation is not a valid form of security. If you want to prevent unauthorized users from accessing the admin page, then implement an authentication mechanism. In this case the admin CP already has an authentication mechanism, this is just to double up the security. Nvm I got what I wanted in some way.. this: http://stackoverflow.com/questions/25344715/programmatically-add-ip-address-to-htaccess-file-from-mysql-table-and-block-use Edited December 28, 2015 by araleush Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 28, 2015 Share Posted December 28, 2015 This is still complete nonsense, but appearently you don't care. Quote Link to comment Share on other sites More sharing options...
araleush Posted December 28, 2015 Author Share Posted December 28, 2015 This is still complete nonsense, but appearently you don't care. What's the problem in having a better secured admin panel? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 28, 2015 Share Posted December 28, 2015 What makes you think your admin panel is more secure now? The IP whitelist you've proposed is extremely poor (as it's based on the naive assumption that one IP address equals one person), and the implementation is even worse. Of course you might say that it's still better than nothing, but that's not the case. This .htaccess hack only gives you a false sense of security and distracts you from the real solutions. You want to protect the admin panel? Force the admins to use purely random passwords which are stored in a password manager like KeePass. If the passwords are sufficiently long (e. g. 32 hexadecimal characters), they're effectively immune to many attacks. Make sure you use a strong password hash algorithm like bcrypt. For even more security, consider using public-key authentication via TLS instead of password-based authentication. This requires some technical knowledge, though. Double-check your code for common security vulnerabilities (especially cross-site scripting, SQL injections and cross-site request forgery). Unlike your homegrown IP stuff, those features actually work and have proven themselves in practice many times. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.