Thanks Wolf, Will there be a problem keeping 2 sessions from 2 websites running in one browser? I will need one to validate the CMS login and one running in the other website to ensure that $_SESSION['my_site'] is set? BTW I'm sure you know, but image phising can be resolved with mod_rewrite. "Wolf" <LoneWolf@xxxxxxxxx> wrote in message news:4443FEE9.1070108@xxxxxxxxxxxx > Personally I would use it as part of the session and verify it that way... > > ie: check to see if the $PHP_SELF is www.mycms.com, if not refresh the > page to that URL automatically and then make them do the login. Only > after logging in does the session key get the "mysite=true" key or > whatever you want to check for. > > That SHOULD keep it from getting hacked, as your basically verifying at > the beginning that you are only allowing entry from your location. > > You should also be making sure that your server does not allow others to > host primary images so that nobody could phish your site. Paypal and > chase are really lamely set up which is making phishing easier for > people who use them. > > My $.02 > > Wolf > > Shaun wrote: >> Hi, >> >> Thanks for your reply, just had a thought: How secure would it be if I >> made >> sure that the URL of the browser was www.mycms.com and only allow access >> to >> pages in the /cms folder if true? >> >> Is this safe or an easy hack? >> >> >> "Wolf" <LoneWolf@xxxxxxxxx> wrote in message >> news:4443E960.2070403@xxxxxxxxxxxx >>> So, swap your CMS logins to use the same access code for the user, then >>> use sessions to swap the mysql stuff in where needed. >>> >>> Or make it use a mysql call from the CMS login to access their mysql >>> information from another table and do it that way. >>> >>> 1 login, 1 password, very user friendly. >>> >>> And only 1 place to have to worry about changing files. >>> >>> HTH, >>> >>> Wolf >>> >>> >>> Shaun wrote: >>>> I see your point, the only problem is that the user will have already >>>> logged >>>> once into the CMS, logging in again would be a little frustrating and >>>> not >>>> very user friendly... >>>> >>>> >>>> ""Weber Sites LTD"" <berber@xxxxxxxxxxxxxxx> wrote in message >>>> news:2f9101c6624d$00964610$6901a8c0@xxxxxxxxxxxxxxxxxxxxxxxxxx >>>>> I think that you are looking at this from the wrong angle. >>>>> What you should do, is password protect all CMS directories >>>>> And then, anyone that needs access has to punch in a valid >>>>> Username and password. >>>>> >>>>> Have a look at : http://sourceforge.net/projects/modauthmysql/ >>>>> >>>>> Sincerely >>>>> >>>>> berber >>>>> >>>>> Visit the Weber Sites Today, >>>>> To see where PHP might take you tomorrow. >>>>> PHP code examples : http://www.weberdev.com >>>>> PHP & MySQL Forums : http://www.weberforums.com >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Shaun [mailto:shaunthornburgh@xxxxxxxxxxx] >>>>> Sent: Monday, April 17, 2006 2:52 PM >>>>> To: php-general@xxxxxxxxxxxxx >>>>> Subject: Re: Including files from another site >>>>> >>>>> Hi, >>>>> >>>>> Thanks for your reply, sorry I should have been a little clearer in my >>>>> explanation. Here goes... >>>>> >>>>> I have a dedicated UNIX server with many websites on it. On this >>>>> server >>>>> I >>>>> have also created a Content Management System which has a database >>>>> which >>>>> I >>>>> use to store HTML content for all the other websites. Each website has >>>>> a >>>>> database connection to the CMS database to retrieve the HTML for its >>>>> pages. >>>>> >>>>> Each website that uses its own database has a folder called /cms and >>>>> in >>>>> here >>>>> I keep all the database admin scripts for that website. I want these >>>>> pages >>>>> to only be accessible from within the CMS website and nothing else. So >>>>> when >>>>> the user is in the CMS they can click on database admin and it will >>>>> include >>>>> the pages in that websites /cms folder. >>>>> >>>>> My Question is how can I ensure that the CMS is the only website that >>>>> can >>>>> access these scripts securely? >>>>> >>>>> Thanks for your advice. >>>>> >>>>> >>>>> ""Weber Sites LTD"" <berber@xxxxxxxxxxxxxxx> wrote in message >>>>> news:2a6601c6621b$fa43bc60$6901a8c0@xxxxxxxxxxxxxxxxxxxxxxxxxx >>>>>> I'm not sure I understand what you are trying to do. >>>>>> What is the connection between frames and security? >>>>>> >>>>>> In general, assuming that all users have access to The same scripts, >>>>>> you need to include in all of your Scripts some kind of security >>>>>> logic >>>>>> that tells the Script which user can do what. >>>>>> >>>>>> Usually you would want to also allow group access Rather then user >>>>>> access for easier maintenance. >>>>>> >>>>>> You should keep a user table with user, password And privileges. >>>>>> There >>>>>> are endless ways to do this And you need to choose what is best for >>>>>> your site. >>>>>> >>>>>> Have a look at some relevant code examples: >>>>>> http://www.weberdev.com/AdvancedSearch.php?searchtype=title&search=aut >>>>>> h >>>>>> >>>>>> berber >>>>>> >>>>>> -----Original Message----- >>>>>> From: Shaun [mailto:shaunthornburgh@xxxxxxxxxxx] >>>>>> Sent: Monday, April 17, 2006 12:46 PM >>>>>> To: php-general@xxxxxxxxxxxxx >>>>>> Subject: Including files from another site >>>>>> >>>>>> Hi, >>>>>> >>>>>> I have created a CMS where all sites on our server are administrated >>>>>> from one central site, and HTML content is stored in the CMS >>>>>> database. >>>>>> >>>>>> I want users to all control their sites database functions from the >>>>>> CMS site, but I want to keep the database and database admin scripts >>>>>> in the individual website account to keep things simple. So I need >>>>>> want to be able to include these scripts within the CMS site but keep >>>>>> them secure. I have tried using frames but I can't keep a session >>>>>> going in the database admin scripts, is there a better way to do >>>>>> this? >>>>>> >>>>>> Any advice would be greatly appreciated. >>>>>> >>>>>> -- >>>>>> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: >>>>>> http://www.php.net/unsub.php >>>>> -- >>>>> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: >>>>> http://www.php.net/unsub.php >> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
