CoverYourASP --> Security |
| The problem with giving away a whole site for free is that there are certain things you want kept secret! For example, in the new generic database administration pages I had to stop you from seeing the actual email addresses of people who had subscribed to my newsletter. But I needed to see them through the same browser! Another example is the page where I mail my newsletter. First, I used to ask for the password in a form field, but with the latest articles it became impractical - some pages didn't even have a form! Second, I used the database path as a password, which was good because you need to set full read/write/create permissions on that folder, and therefore it's a very good idea to keep the database in a secret folder! That stopped working while changing over from Access to SQL Server, when the path became a little more complex! Now I use a secret word hardcoded into include/config.asp, and changed regularly. As downloaded the word is SECRET. This password is added to the URL of the page. For example, to access this page with the password you would type: http://CoverYourASP.com/Security.asp?SECRET=1 To help write the pages there's a helper function called LookForMagicWord(), defined in utils/Init.asp. Calling this function sets up two variables for you to use. bValidUser - set to non-zero when the valid password appears in the URL. sMagicWord - set to "&SECRET;=1" when the password is found. Use this in related links to pass the password to other pages. |
|