[thelist] large numbers of secure directories and client uploads: the best option?

Tony Page zamba at zamba.com
Mon Apr 16 19:57:41 CDT 2001


Thanks to all who replied, this list has been amazingly busy over Easter,
don't you guys take holidays?!
>It is really easy and effective to use simple ASP (JavaScript) for checking
User login and password comparing the input values with the database stored
values <snip> Yevgeni
That's encouraging, and obviously if there's a solution that doesn't involve
a platform change I'm sure the client would be grateful. The current ISP
offers Authentix on the NT servers, anyone used that? Actually, I'm a bit
concerned about the security aspects on NT, and need to check further,
especially after reading Philippe's links, especially
http://unix-vs-nt.org/kirch/
>Whatever solution you choose, if I were you I would write a thorough
disclaimer, explaining about server security holes, software security and
how you can never ever guarantee 100% security on the net,....<snip> Peter
Van Dijk
As I was a lawyer in a previous incarnation, I would endorse Peter's
exhortation to build in a disclaimer on the security question, and will
certainly do so.
>I wouldn't want the hassle of maintaining a whole bunch of password
protected directories. If you use random numbers - *large* random numbers -
as filenames, it's going to be about as secure...<snipped many additional
suggestions> - deke
Deke's different approach has made me re-evaluate my first assumptions. His
point about NOT putting the input-data form on server but on the doctor's
computer is a good one giving added security. But having a drop-down box
with over two hundred doctors to select from would be a bit difficult on the
HTML page.  As far as monthly maintenance is involved, I would love my
client to pay for this, but unfortunately he wants his staff to do it as far
as possible! So I still have to look at an extremely simple system for
adding, amending records, although I take the point about leaving old
records on file.
>If you are ready to change server platform, you could effectivelly use *nix
with apache and .htacess files. The security model is still "basic" without
a db, but you can for instance have authentification based on a text file
with usernames and passwords <snip>. Philippe Jadin
That was my first reaction.
>I would not do this though. If you have the time, look for the security
model of some other tools. You may find something interesting in either asp,
php, coldfusion... Or you could use zope (my choice for now) : the security
model is extremely powerfull, and really easy to setup.<snip>
A lot of people seem to be keen on zope, so I think it's time I had a
serious look at it, anyone else had good experiences or problems using this?

Tony Page

      [ZambaGrafix]
   <websites that work>
tel: +61 2 9953 4425
fax: +61 2 9909 8534
email: ajp at zambagrafix.com
http://www.zambagrafix.com





More information about the thelist mailing list