Login button on a public web site 1

[IFRs]

I'm new here, so please direct me to the proper forum it this is not it!!

I want to have a "Login" button on a self-hosted public corporate (400M sales) web site. Our IT department is saying "no" because of the security risk. The login was to be for customers to find details of their jobs and for employees to get product information. I see lots of web sites with "Login" buttons - what's the big deal? How much does it cost to get a "secure" semi-public area? What would the hardware / software be?

 

[karsh44]

There are a wide variety of ways to make a "Login" button on a website, with varying levels of security. I assume you want to have the user input something like username and password, then click to log in. I would say you need to send the login data through a secured connection (https), to a server side page that could then validate that the client is who they say they are by comparing with a database. There is much more about this subject than can be covered in a simple post, but suffice to say it can be done with at least a moderate level of security. There is a security risk associated any time you send information over the internet or connect other computer/databases to it, but that shouldn't be a reason not to do anything, I would think. Talk to your IT people more to find out how your site in particular works, and how to best minimize the security risk. Do some searching on Google for "securing remote login", "using ssl", and "encryption methods" to find more.


"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do, it blows away your whole leg."
- Bjarne Stroustrup

 

[IFRs]

karsh44 - thanks for your input. Unfortunatly, I'm at odds with my IT department on this one. They are hosting our website and are terrified of hackers. They claim that security will cost $30,000 and then give me grief for wasting their time evaluating the possibilities. So, I'm casting about looking for solutions and suggestions, perhaps examples and testimony. I have no interest in "showing them up" but if I'm getting bullied I'd like to know.

 

[karsh44]

I'm afraid that specifics and pricing are getting beyond my (limited) expertise on this subject. Since the security forum here is kind of quiet, I would recommend posting your question in

http://www.experts-exchange.com/Security/

. They have some good people who may be able to help more. If you cross post to other forums though, I would recommend putting more information in your question. ie-what os and web server do you use, how are you storing the data the users will be accessing (is it in a database, or in personalized web pages, or something else) and just how you'd like the "login" page and button to work. Sorry I can't help more, but I don't want to give definitive answers I'm not qualified to give. Hope some of this will help.
(but strictly off the record, I think your IT people are overreacting. Did they say how they got that $30000 figure?)


"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do, it blows away your whole leg."
- Bjarne Stroustrup

 

[SamBones]

I haven't seen it mentioned, so I'll toss in my 2 cents.

If the site runs with Internet Exporer, you can run IE in Kiosk Mode. You do this with the command line switch "-k" when starting IE. The command line would look something like...

   iexplore -k "D:\somedir\somepage.htm"

This actually locks down a lot of the IE features that would allow a "hacker" type to do nefarious things. Menus are gone, buttons are gone, certain command keys stop working. You would have to design and code the site to not allow avenues out of the site (i.e. jump to a Google search or other unsecured site).

An Alt-F4 does still kill IE, so you may need to use a keyboard on the Kiosk that doesn't have function keys and certain control keys. Some kiosks have an abbreviated keyboard accessible to the public, and a full keyboard for maintenance in a locked back or side panel.

I believe Microsoft.com has some more information on setting up kiosks like this.

You could also use psychological deterrents. Something like a dummy video camera in a painfully obvious location pointed right at the kiosk will cut down on a lot of "playing". Or, a real video camera in plain sight if there's real customer information at risk.

This whole setup is pretty cheap and easy to test. You could design a simple login page that only opens up to one that says "You Got It!". Then get some masking tape and mask off the entire top function key row and the Ctrl, Alt, and Window icon buttons (plus any other control or menu buttons). This eliminates the ones that wouldn't be available on the kiosk keyboard you're going to get. Then, run the demo page in IE in kiosk mode and let them try to hack into it.

Just do a Google search for "kiosk keyboard" and you'll find tons of keyboards and other items designed for this kind of use. You can even have no physical keyboard, but just a virtual one on screen.

The bottom line, you don't want to just park a PC in a public spot and hope it's not molested. BUT, just adding a few easily available things to it, plus some intelligent site design, you can have a very secure kiosk set up.

Hope this helps.

 

[dkediger]

How many "unique" access IDs are you looking at? It is not too difficult to restrict pages with a login using a basic Access database and ASP. See the FrontPage and ASP forum FAQs for some details and insight on this.

Granted it is not the most secure and won't keep a determined hacker out, but it works to keep project data for customers separate.

 

[karsh44]

If you decide the database/asp page is secure enough (and if your IT people are so paranoid, they will definitely say it is not) don't use access for the database if possible. It is the least secure of the database programs.

"C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do, it blows away your whole leg."
- Bjarne Stroustrup