Everybody who has some experience in the software business, knows there is no absolute security. The most secured computer is the one that is in a bunker, about 500m below earth surface, without any connection to the outside world. However, this is not a practical solution for a computer that needs to run a webbased application.
So does this mean you cannot prevent unauthorized access? Yes and no. You cannot prevent it 100%, but you can really decourage people from trying.
In order to secure you webapplication, you will need to provide a way to control who has access to the site and who has not. Simply telling people they are not allowed to do so, does not work ! Controlling the access is done by form of identification of the user. Once you know who the user is, you can tell him if he has access or not. In practice, this is done through a login. The user needs a login name, that uniquely identifies the user, and a password only he can know, to prove his is really the user he claims he is. If you apply a login, and a mechanism that makes this login the only access point to your application, you are half way.
Once you have a login screen, and an application to secure, you will need a way to tell who has access or not. In practice, the most common technique it to tell who has access. Everyone else does not. Unless you want to create a list containing everybody in the world who does not have access… But feel free to try, you would surely have a scoop with your system !
There are a lot of ways to maintain a list with authorized users. The most common techniques are user databases and Windows based authentication (using the authorized user list of a Windows host). Because Windows based authentication depends on the Windows user administration, this option will not be discussed in this paper.
In the next paragraphs, managing users through a database will be reviewed.
A login system based on a user database is very easy to create. You need a database containing a list of user names and passwords, and a login screen. When the user entered his credentials, you have to validate if the user is in the database. If he is, he can access the system, otherwise, he cannot. Because of it’s simplicity, it is the most common used login system.
When you look around on the internet, you can find a lot of sites providing a login system. Most sites will indeed manage their users through a database. However, a lot of (I’d say 70%-80%) sites are not created by security professionals. The people who create the login might well know how to create it, but they are unaware of the methods used to ‘hack’ these systems. And as always, people that want to avoid certain restrictions are always one step ahead of people installing these restrictions.
