Learning about Internet Security
Protecting portions of your web siteThe fundamental reason for using a web site is to provide information and/or products to the general public. So what do you do when you need to put something on your web site that will not be made available to the general public? How do you protect your sensitive web pages from the public? One method would be to put the sensitive web pages on your web site, but do not offer a link to them from your normal web pages. However this is not a very safe method. It is still possible for "crackers" to obtain a directory listing of your web pages and then to type the name of sensitive web page into the web browser directly. Another method is to attach a password protection JavaScripted filter to your web page. This would force the visitor to enter a valid ID and password before the rest of the web page would appear. The problem with this is that the visitor can look into their web browser cache, find the source file for your web page, locate an ID and password from within the coding, and effectively defeat your security precautions. Probably the most effective method for keeping your sensitive information safe is to place it into a sub-web. Just like a sub-folder (which is really what a sub-web is), a sub-web can only be found underneath of its parent (in our case, your domain name.) Your sub-web can then be password protected by the web server. The advantage of this type of password protection is that testing is performed by the web server and not by the web page. Unlike password protection used with the web server, password protection that is offered by the web page must also include all of the authorized IDs and passwords as part of itself. Obviously, this is not a very secure method. It's sort of like keeping a list of IDs and passwords inside a manila folder next to the security keypad. It is out of sight, but it is not very hard to open and look at. When password protection is applied to a sub-web, you must first pass the password protection on the web server before any information is downloaded. Since the "cracker" does not get any web page content to search through, they must now find a way to break into the web server to look for your authorization information. This is a considerably more difficult task for them. From a web development viewpoint, using a sub-web is much more cost-effective. It is a small matter to apply password protection to a sub-folder and to then be able to place normal web pages behind the protection of the web server. It is a considerably much more difficult and less cost-effective task to apply individual password protection on a per page basis. This becomes even more evident when you consider the task of reconciling password information among a large number of documents. Each web page will need to be evaluated and/or edited whenever an authorized user's security clearance changes. In conclusion, password protected sub-webs are a reasonable method for protecting your sensitive information from outsiders, and they offer greater security than those using built-in security scripting. Password protected sub-webs are also able to prevent search engines from locating and listing your secured web site information. Next Month's Topic: Internet Viruses By Steve
Duell
|
