Ian Skinner wrote: > > What is Secure: This is going to be a Commercial, Paid, Membership Only > type site. What I want is enough security to reasonably protect our paid > content from too easy swiping as well as user abuses such as sharing logins > with other un-paid members. Also, what are some other user abuses of which > I may not have considered?
Users not sharing the logins but the content they download from your site? If your content is documents/images, have you looked into watermarks? > What is Digest Authentication? That is a new term to me. RFC 2617, it is basically a beefed up version of Basic Security, supported by all recent browsers (IE 5+, Netscape 6+, Opera 6+). > Smartcards? what are Smartcards in this context? I don't think I have one? > Is this something the general consumer is going to have, or more of a > corporate ID/Security type thing? It is usually a corporate thing (RSA sells some nice products) for high-security environment, but most users have one (without realizing it) because every mobile phone has a built-in smartcard. It is a bit of a pain to access them unless you buy some SMS based throwaway password system from a third party. Also, banks sometimes have smartcards and function as a TTP for their customers. > Single use passwords are probably not the way to go for the entire site, but > we may use it for a one time preview type thing. We are trying to sell this > service, and that sounds like it would turn away customers, but let me hear > if anybody feels otherwise. It can be an inconvenience. But sometimes the added security is worth it. > Luckily the security requirements are pretty simple. We are only going to > have two kinds of users, Trial and Paid. A paid user has access to the > entire site for one year. The Trial user would have access to one section > of the site of his choosing for a certain period of time (one day, week, > month) yet to be determined. For the trial user, I was planning on using > one time usernames/passwords automatically generated and mailed to an e-mail > account. One time per e-mail account only. Now, if somebody really wanted > to, they could get e-mail account after e-mail account and eventually gain > access to the entire site, at least for a short time. But at only 10 to 15 > dollars a year for membership, it's their time their wasting. For this an SMS syste would be nice. Switching phones is more expensive as switching emailaddresses. > When determining how long to set the session expiration. Can some of you > provide some experience on what is a good length is that balances usability > with security? I could easily just pick a number (5, 10, 20 minutes). But > I have no real reason to pick from one or the other. Depends on the content. For 200 page legal documents, 5 minutes might be a little short :-) > Thanks for the suggestion of using the Hash() function. I had forgotten > that one. As I understand your comments, there is no way to every unhash > the string. So, for a lost password function, I would have to assign and/or > require a replacement, correct? There would be no way to send the old one. Correct. > If I don't provide a remember-me function, what are some opinions on how > this may affect the usability of the site from the consumers point of view? They won't mind. They will just use the remember password functionality from their browser. > Are there any issues or concerns I may not know about using Application.cfm > for security validation? Are there any known hacks to bypass the running of > this file and getting directly to the content pages? Just remember it only runs for .cfm pages. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
