Better than .htaccess would you use it? - GoFuckYourself.com

modelgigtalent · 03-19-2004, 09:29 AM

If there were an amazing hack proof system that can replace .htaccess for protecting members areas would you buy it?

The reason that I ask is that there is a better way, and a program has been custom written to do it, the next step is to interface it with ccbill and ibill.

What would you pay for it?

AnalProbe · 03-19-2004, 09:31 AM

There are several better ways, my friend.

Use PHP sessions like I do, and all your problems will be solved...

Combine it with HTTPS, and nobody will fuck you over again.

Horny Dude · 03-19-2004, 09:43 AM

Quote:

Originally posted by AnalProbe
There are several better ways, my friend.

Use PHP sessions like I do, and all your problems will be solved...

Combine it with HTTPS, and nobody will fuck you over again.

Got any details on this? Would like to find out more!

AnalProbe · 03-19-2004, 09:48 AM

http://us3.php.net/session

modelgigtalent · 03-19-2004, 09:49 AM

Its better than that, it has way more features.

AnalProbe · 03-19-2004, 09:56 AM

Buy yourself a SSL license and use that only with the login (HTTPS).

After the login you can serve normal HTTP to the IP that signed in rightfully through HTTPS.

Works like a charm for me... for months now.

modelgigtalent · 03-19-2004, 09:57 AM

With this program you dont need to go through all of that, in fact when it is finished I am betting that a big player like iBill or CCBill will want to license it.

Horny Dude · 03-19-2004, 10:01 AM

Quote:

Originally posted by AnalProbe
http://us3.php.net/session

Thanks

Hustler DJ · 03-19-2004, 10:08 AM

Not sure why you're thinking a payment processor would want to license something like that... my hunch: if you're putting a better GUI-based interface on it or adding something to make the process less technical, you might be able to license it to a few n00b paysite webmasters or something. But let's face it, sessioning is good enough, and ain't all that hard...

<br>

Big E · 03-19-2004, 10:38 AM

The only problem with sessions is that the underlying content (images, videos etc) are still accessible. Sessions only protect HTML/PHP files.

Sure, you can put HTTP_REFERER protection in, but we all know how easy it is to spoof referrers.

Fortunately, there's a solution to this.

Addition: SSL is *NOT* the solution. It's very CPI-intensive.. if you're doing ANY kind of traffic, you're going to be bogged down, even if you've got an SSL accelerator card.

modelgigtalent · 03-19-2004, 10:41 AM

So, your saying the php sessions are hack proof?
What I am talking about is a system that prevents hackers from getting into a system such as .htaccess which I am sure 90% of webmasters use.

AnalProbe · 03-19-2004, 11:32 AM

Quote:

Originally posted by Big E
The only problem with sessions is that the underlying content (images, videos etc) are still accessible. Sessions only protect HTML/PHP files.

Sure, you can put HTTP_REFERER protection in, but we all know how easy it is to spoof referrers.

Fortunately, there's a solution to this.

Addition: SSL is *NOT* the solution. It's very CPI-intensive.. if you're doing ANY kind of traffic, you're going to be bogged down, even if you've got an SSL accelerator card.

As I stated before :

You only use the SSL for the login screen...

PHP sessions can be made 100% secure, yes.

Not only HTML files, you can show your pics like pic.php?pic=123

modelgigtalent · 03-19-2004, 01:52 PM

That sounds like a lot of work, I will check it out though.

Big E · 03-19-2004, 03:01 PM

Quote:

Originally posted by AnalProbe

As I stated before :

You only use the SSL for the login screen...

That makes sense.

Quote:

PHP sessions can be made 100% secure, yes.

Not only HTML files, you can show your pics like pic.php?pic=123

True, but that means you've got to have all the graphics files OUTSIDE the DOCUMENT_ROOT directory, and the PHP file needs to load the graphics file and dump it out. Very slow and very inefficient.

There's a different way that doesn't involve having to change all the links - it's "transparent" to the file structure.

latinasojourn · 03-19-2004, 05:05 PM

Quote:

Originally posted by modelgigtalent
With this program you dont need to go through all of that, in fact when it is finished I am betting that a big player like iBill or CCBill will want to license it.

my opinion is that there are some serious security flaws with both ccbill and ibill.

they need to do something and soon. there are forums that tell surfers how to hack into paysites:

notably:

phatforums (and others, mostly russian) if you watch your stats carefully you will see them getting in.

proxypass does not kill it because they are getting in without authentication (i believe)

you cannot block it with simple .htaccess refusals, we need something better right now!

AnalProbe · 03-19-2004, 05:22 PM

Quote:

Originally posted by Big E

True, but that means you've got to have all the graphics files OUTSIDE the DOCUMENT_ROOT directory, and the PHP file needs to load the graphics file and dump it out. Very slow and very inefficient.

You haven't even tried it. You sound hypothethical.

I let PHP handle ALL http (html + php files) and use Zend Optimizer.

Quote:

There's a different way that doesn't involve having to change all the links - it's "transparent" to the file structure.

Are you lazy ?

You sound like you want to keep everything as it is, and some magic stick will help you out.

Believe me, I've tried all the other options, like JSP, Kernel hacks, A custom Apache module, and PHP sessions + SSL, and guess : this works.

Now get of your lazy butt and pay a good coder to take care.

03-19-2004, 09:29 AM	#1
modelgigtalent Confirmed User Join Date: May 2003 Location: Sin Sity - Hit me here! ICQ: 165829688 Posts: 2,208	Better than .htaccess would you use it? If there were an amazing hack proof system that can replace .htaccess for protecting members areas would you buy it? The reason that I ask is that there is a better way, and a program has been custom written to do it, the next step is to interface it with ccbill and ibill. What would you pay for it? __________________ Web marketing - video editing - color correcting and more. ICQ -165829688

03-19-2004, 09:31 AM	#2
AnalProbe pain in the Ass Industry Role: Join Date: Jan 2004 Posts: 3,727	There are several better ways, my friend. Use PHP sessions like I do, and all your problems will be solved... Combine it with HTTPS, and nobody will fuck you over again. Last edited by AnalProbe; 03-19-2004 at 09:37 AM..

03-19-2004, 09:49 AM	#5
modelgigtalent Confirmed User Join Date: May 2003 Location: Sin Sity - Hit me here! ICQ: 165829688 Posts: 2,208	Its better than that, it has way more features. __________________ Web marketing - video editing - color correcting and more. ICQ -165829688

03-19-2004, 09:57 AM	#7
modelgigtalent Confirmed User Join Date: May 2003 Location: Sin Sity - Hit me here! ICQ: 165829688 Posts: 2,208	With this program you dont need to go through all of that, in fact when it is finished I am betting that a big player like iBill or CCBill will want to license it. __________________ Web marketing - video editing - color correcting and more. ICQ -165829688

03-19-2004, 10:08 AM	#9
Hustler DJ Confirmed User Join Date: Sep 2003 Location: El Lay, Sea Yay Posts: 469	Not sure why you're thinking a payment processor would want to license something like that... my hunch: if you're putting a better GUI-based interface on it or adding something to make the process less technical, you might be able to license it to a few n00b paysite webmasters or something. But let's face it, sessioning is good enough, and ain't all that hard... <br> __________________ Darren - Sales/Marketing Guy -- FlyntDigital/HustlerContent ICQ: 2907527

03-19-2004, 09:48 AM	#4
AnalProbe pain in the Ass Industry Role: Join Date: Jan 2004 Posts: 3,727	http://us3.php.net/session

03-19-2004, 09:56 AM	#6
AnalProbe pain in the Ass Industry Role: Join Date: Jan 2004 Posts: 3,727	Buy yourself a SSL license and use that only with the login (HTTPS). After the login you can serve normal HTTP to the IP that signed in rightfully through HTTPS. Works like a charm for me... for months now.

03-19-2004, 10:38 AM	#10
Big E Registered User Industry Role: Join Date: Mar 2002 Location: San Diego, CA Posts: 935	The only problem with sessions is that the underlying content (images, videos etc) are still accessible. Sessions only protect HTML/PHP files. Sure, you can put HTTP_REFERER protection in, but we all know how easy it is to spoof referrers. Fortunately, there's a solution to this. Addition: SSL is NOT the solution. It's very CPI-intensive.. if you're doing ANY kind of traffic, you're going to be bogged down, even if you've got an SSL accelerator card.

03-19-2004, 10:41 AM	#11
modelgigtalent Confirmed User Join Date: May 2003 Location: Sin Sity - Hit me here! ICQ: 165829688 Posts: 2,208	So, your saying the php sessions are hack proof? What I am talking about is a system that prevents hackers from getting into a system such as .htaccess which I am sure 90% of webmasters use. __________________ Web marketing - video editing - color correcting and more. ICQ -165829688

03-19-2004, 01:52 PM	#13
modelgigtalent Confirmed User Join Date: May 2003 Location: Sin Sity - Hit me here! ICQ: 165829688 Posts: 2,208	That sounds like a lot of work, I will check it out though. __________________ Web marketing - video editing - color correcting and more. ICQ -165829688