Re: clients editing information w/o authentication--advice needed

From: Bosconian (bosconian_at_planetx.com)
Date: 11/02/04 

Date: Tue, 02 Nov 2004 01:18:10 GMT

Thanks for your replies.

I completely concur that username/password authentication is the way to go.
SSL, while the most secure, is not essential since there's no confidential
or financial information being stored or shared.

I will "push back" with the client and tell them they'd be better off
continuing to edit the information themselves without implementing proper
authentication (albeit sans SSL.)

<Michael Vilain <vilain@spamcop.net>> wrote in message
news:vilain-2DD758.23172629102004@news.giganews.com...
> In article <%CEgd.332796$3l3.106562@attbi_s03>,
> "Bosconian" <bosconian@planetx.com> wrote:
>
> > I have a client that provides a list of companies on their web site
(powered
> > by PHP/MySQL.) These companies advertise their services to visitors. The
> > company information has been maintained exclusively by the client, but
now
> > they would like to provide a way for the companies to update their own
> > information.
> >
> > Can someone suggest a reasonable secure method to allow the companies to
> > edit their own information without a login and authentication procedure?
One
> > idea is to provide each customer an URL which includes an encrypted
token.
> > The token could be generated using a unique piece of data like an email
> > address or telephone number. It could be decrypted serverside and
validated.
> > I've done something similar for other clients on a tight budget and it
> > worked well, but am wondering if there's a better approach without
adding
> > full-fledge authentication.
> >
> > All comments/suggestions are appreciated.
>
> Allowing only a specific IP address to access and change a page is about
> the closest you'll get to any sort of unique access. It's not very
> secure and I think any sort of proxy server in between the client and
> the server won't correctly send the IP address. This is the nature of
> stateless client/server systems.
>
> I'd push back with this client and point out the benefits of some sort
> of authentication with usernames and passwords. Add a SSL certificate
> and it will be even more secure. You're essentially being asked to
> build a car without any sort of internal combustion engine.
>
> --
> DeeDee, don't press that button! DeeDee! NO! Dee...
>
>
>