Prev: How to handle a submitted form with no changes -- bestpractices sought
Next: Counting Children!
From: tedd on 12 Sep 2010 12:32 Hi gang: I have a client who wants his employees' access to their online business database restricted to only times when he is logged on. (Don't ask why) In other words, when the boss is not logged on, then his employees cannot access the business database in any fashion whatsoever including checking to see if the boss is logged on, or not. No access whatsoever! Normally, I would just set up a field in the database and have that set to "yes" or "no" as to if the employees could access the database, or not. But in this case, the boss does not want even that type of access to the database permitted. Repeat -- No access whatsoever! I was thinking of the boss' script writing to a file that accomplished the "yes" or "no" thing, but if the boss did not log off properly then the file would remain in the "yes" state allowing employees undesired access. That would not be acceptable. So, what methods would you suggest? Cheers, tedd -- ------- http://sperling.com/
From: Joshua Kehn on 12 Sep 2010 12:37 Tedd- Would he consider access to another database? I.e. a separate, say memcached db which stores the "boss" status? An issue with the temporary file would also be session length, if the session expires without the user explicitly logging off, the file wouldn't be removed. A way to bypass this would be to add some sort of session expiration header to the file and update that. And couldn't you make a simple check if the boss is logged in or not by the ability to access the database? Regards, -Josh ____________________________________ Joshua Kehn | Josh.Kehn(a)gmail.com http://joshuakehn.com On Sep 12, 2010, at 12:32 PM, tedd wrote: > Hi gang: > > I have a client who wants his employees' access to their online business database restricted to only times when he is logged on. (Don't ask why) > > In other words, when the boss is not logged on, then his employees cannot access the business database in any fashion whatsoever including checking to see if the boss is logged on, or not. No access whatsoever! > > Normally, I would just set up a field in the database and have that set to "yes" or "no" as to if the employees could access the database, or not. But in this case, the boss does not want even that type of access to the database permitted. Repeat -- No access whatsoever! > > I was thinking of the boss' script writing to a file that accomplished the "yes" or "no" thing, but if the boss did not log off properly then the file would remain in the "yes" state allowing employees undesired access. That would not be acceptable. > > So, what methods would you suggest? > > Cheers, > > tedd > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
From: Ashley Sheridan on 12 Sep 2010 12:37 On Sun, 2010-09-12 at 12:32 -0400, tedd wrote: > Hi gang: > > I have a client who wants his employees' access to their online > business database restricted to only times when he is logged on. > (Don't ask why) > > In other words, when the boss is not logged on, then his employees > cannot access the business database in any fashion whatsoever > including checking to see if the boss is logged on, or not. No access > whatsoever! > > Normally, I would just set up a field in the database and have that > set to "yes" or "no" as to if the employees could access the > database, or not. But in this case, the boss does not want even that > type of access to the database permitted. Repeat -- No access > whatsoever! > > I was thinking of the boss' script writing to a file that > accomplished the "yes" or "no" thing, but if the boss did not log off > properly then the file would remain in the "yes" state allowing > employees undesired access. That would not be acceptable. > > So, what methods would you suggest? > > Cheers, > > tedd > > -- > ------- > http://sperling.com/ > What about using the timestamp of that file as well? Then have the boss's login update the file periodically, and the employees can only access if the file exists and is of a certain age or newer. That should solve the easiest problem, although you still are left with the issue of the boss... Thanks, Ash http://www.ashleysheridan.co.uk
From: Per Jessen on 12 Sep 2010 12:50 tedd wrote: > Hi gang: >=20 > I have a client who wants his employees' access to their online > business database restricted to only times when he is logged on. > (Don't ask why) >=20 > In other words, when the boss is not logged on, then his employees > cannot access the business database in any fashion whatsoever > including checking to see if the boss is logged on, or not. No access= > whatsoever! >=20 > Normally, I would just set up a field in the database and have that > set to "yes" or "no" as to if the employees could access the > database, or not. But in this case, the boss does not want even that > type of access to the database permitted. Repeat -- No access > whatsoever! >=20 > I was thinking of the boss' script writing to a file that > accomplished the "yes" or "no" thing, but if the boss did not log off= > properly then the file would remain in the "yes" state allowing > employees undesired access. That would not be acceptable. >=20 > So, what methods would you suggest? I would ask the boss to confirm his presence maybe once an hour and onl= y allow employees access when the last such confirmation is less than an hour old.=20 --=20 Per Jessen, Z=C3=BCrich (21.4=C2=B0C)
From: Tamara Temple on 12 Sep 2010 17:05
Sounds like there are some security concerns here. On Sep 12, 2010, at 11:32 AM, tedd wrote: > I have a client who wants his employees' access to their online > business database restricted to only times when he is logged on. > (Don't ask why) I do wonder why, though. Perhaps this is an opportunity to educate someone about security and privacy and web applications? Does he feel that by being logged in, he can control every aspect of connection to the data base? Or even be aware of every access to the data base? What is he hoping to accomplish be being logged in? Does he propose to actively monitor the data base transactions in real time while he's at work? What is he hoping to avoid by requiring his logged in state before anyone else can access the data base? Just being logged in won't dissuade a cracker from attacking his data if they so choose, nor will it prevent a disgruntled employee from damaging the data while he's logged in if they have the expertise and means. Also, what happens when he's sick or incapacitated some day and can't log in to the data base. Does he expect his business to continue without his presence or does it also shut down for the day? This just seems like an excessive amount of paranoia that his solution won't provide an answer for. It seems like a poor business decision on his part. > In other words, when the boss is not logged on, then his employees > cannot access the business database in any fashion whatsoever > including checking to see if the boss is logged on, or not. No > access whatsoever! What about access to the web application while he's not logged in? Do they still have that? If someone is determined, they can still learn a lot. > Normally, I would just set up a field in the database and have that > set to "yes" or "no" as to if the employees could access the > database, or not. But in this case, the boss does not want even that > type of access to the database permitted. Repeat -- No access > whatsoever! > > I was thinking of the boss' script writing to a file that > accomplished the "yes" or "no" thing, but if the boss did not log > off properly then the file would remain in the "yes" state allowing > employees undesired access. That would not be acceptable. > > So, what methods would you suggest? What about access to a parallel data base that only contains information pertaining to access? i.e. separate out the application's authentication and access control from the main data base and put it in a parallel data base. |