Davidwarnold
Starting Member
8 Posts |
Posted - July 29 2003 : 04:29:03
|
Security: 1) To help prevent search engines spidering your admin pages add: <META NAME="ROBOTS" CONTENT="NOINDEX,NOFOLLOW"> inbetween the <head> </head> section of shopadmin_header.htm
2) I wrote a simple include file that I put at the top of you shopadmin.asp (renamed of course) see below. This carries out two operations: if your internet connection has a fixed IP it checks it and if OK does nothing. If the IP is not known, it then checks the header for a password. If correct allows you in. However, you only have a set amount of tries, over a given time. If you exceed the amount of tries, it locks you out for a while and redirect to a page not found. This makes it appear as if the page no longer exists.
I use this software for two reasons. Although I normally do ‘Admin’ duties while at the office (Fixed ID) I can still work from home using a dynamic IP or check what’s going on from any remote location. It prevents Hackers using brute force password crackers to get into your site.
3) Software note to VP-ASP programmer. I see optional include files in your software controlled by asp. Also in some case statement i.e. Case a <!-- #include file= A -- > Case b <!-- #include file= B -- > Case c <!-- #include file= C -- >
As far as I understand, this does not work as all include files are included BEFORE any the execution of the asp code???
Does this cause any problems / security problems.
4) Final comment to VP-ASP Designer. You must improve the credit card security section of your software against hackers. You also need to automate deleting and changing file names and locating the database. I got hacked BIG time it cost the credit card people over £10,000! Security should be inherent in the design without the need to read a big fat manual.
PS Your tech support if second to none - thanks
----------------- <% Sub Added_IP_check_security() 'this will allow MY_IP_NUMBER through OR querystring QNAME=PASSWORD 'in this example www.mysite.com/myshop/adminpageforshop.asp?GetMeIn=Emergency 'the "?GetMeIn=Emergency" part is only required if your IP is dynamic or not equal to MY_IP_NUMBER
Const MY_IP_NUMBER = "12.3453.67.89" 'your fixed IP address - *** Change to fit Const TIME_OUT = 3 'munites Const MAX_TRIES = 4 Const PASSWORD = "Emergency" 'case sensitive - *** change Const QNAME = "GetMeIn" ' -*** change Const REDIRECT_TO = "http://www.yoursite.com/404" ' - ***change
if request.ServerVariables("REMOTE_ADDR") <> MY_IP_NUMBER then
If Application ("SecurityLastIn") = "" then Application("SecurityLastIn") = Now() If Application("SecurityCount") = "" then Application("SecurityCount") = 0 if datediff("n",Application("SecurityLastIn"),Now()) => TIME_OUT then Application("SecurityCount") = 0 Application("SecurityLastIn") = Now() else Application("SecurityCount") = Application("SecurityCount") + 1 end if if (Application("SecurityCount") => MAX_TRIES) OR (request.querystring(QNAME) <> PASSWORD) then response.redirect(REDIRECT_TO)
end if end sub
Added_IP_check_security %> |
|