Stas Bekman > DocSet-0.19 > Protecting

Download:
DocSet-0.19.tar.gz

Annotate this POD

View/Report Bugs
Source  

NAME ^

Protecting Your Site

Description ^

Securing your site should be your first priority, because of the consequences a break-in might have. We discuss the various authentication and authorization techniques available, a very interesting use of mod_perl.

The Importance of Your site's Security ^

Let's face it, your site or service can easily become a target for Internet "terrorists". It can be because of something you said, the success of your site, or for no obvious reason whatever. If your site security is compromised, all your data can be deleted or important information can be stolen. You may risk legal action or the sack if this happens.

Your site can be paralyzed through a _simple_ denial of service (DoS) attack.

Whatever you do, as long as you are connected to the network your site will be vulnerable. Cut the connections, turn off your machine and put it into a safe. Now it is protected--but useless.

So what can you do?

Let's first get acquainted with some security related terminology:

Authentication

When you want to make sure that a user is who he claims to be, you generally ask her for a username and a password. Once you have both, you can check them against your database of username/password pairs. If they match, the user has passed the Authentication stage. From now on if you keep the session open all you need to do is to remember the username.

Authorization

You might want to allow user foo to have access to some resource, but restrict her from accessing another resource, which in turn is accessible only for user bar. The process of checking access rights is called Authorization. For Authorization all you need is an authenticated username or some other attribute which you can authorize against. For example, you can authorize against IP number, allowing only your local users to use some service. But be warned that IP numbers or session_ids can be spoofed (forged), and that is why you should not do Authorization without Authentication.

Actually you've been familiar with both these concepts for a while.

When you telnet to your account on some machine you go through a login process (Authentication).

When you try to read some file from your file systems, the kernel checks the permissions on this file (Authorization). You may hear about Access control which is another name for the same thing.

Maintainers ^

Maintainer is the person(s) you should contact with updates, corrections and patches.

Authors ^

Only the major authors are listed above. For contributors see the Changes file.

syntax highlighting: