On Sat, Mar 21, 2009 at 3:56 AM, Floren M. [email protected] wrote:
If what you really want is a web interface to manage the users, simply
make (or pay someone to make) a web interface to manage the password
files.
Problem solved, no waiting for asynchronous mysql interface.
That is not a viable solution, you know it.
It is certainly a viable solution as Manilo indicates.
Managing sensitive files in a
web environment is very unsecure, through a web interface.
No more insecure than managing sensitive data through a web interface -
in
either case you’ll want SSL on top for any semblence of security.
Ya, you can
create a htpasswd file into /etc/nginx dir for example and do a chmod
0700/chown nginx on it. Then, it is secure to stick in there your
usernames/passwords. But to use PHP or other language to manipulate
sensitive data through a POST that can get sniffed easy by anyone is simply
insane, IMO.
They can monitor the same POST requests to manage users in the database
it’s no more secure. As I said above, you’ll want to place SSL on top,
for
starters.
Not to mention that your file has to be editable by anyone in
order to have your script write information into it…
Not really, it just needs to be editable by the user PHP is running as
(which I can control). Alternatively, the PHP could make requests to
some
other service listening on localhost for insertion/removal from the
file.
There’s a million ways to skin a cat; however, personally if I’m gonna
use
htpasswd authentication, I just manage it with htpasswd (sometimes
indirectly in bash scripts). Simple machines, for the win!