Normal Topic Web Server Security Code (Read 554 times)
BWETTLAUFER
Full Member
***
Offline



Posts: 216
Location: Cambridge, Ontario
Joined: Apr 9th, 2010
Web Server Security Code
Jan 18th, 2018 at 2:33am
Print Post Print Post  
Hi folks,

I am thinking through some options for my clients, and would love some theoretical feedback.

I have a number of clients that want remote access to our database -- in the past, we've used port forwarding, used sesame_allow.txt to whitelist their IPs.  However, we found some of our clients had ridiculously slow internet connections, and when giving them full access to our database application, they slowed our internal functions to a crawl.  With 40+ clients wanting remote access, that's not going to work going forward.

I'm doing some research on the web server tutorial, which is not something I've done before, so I'm a complete novice here -- it looks like I could set up a simple search and result based page with little effort -- however, I am concerned about data security as I don't want anyone accessing data they shouldn't.  So, my questions are:

1) Internally, we have a user form inside our application that we use to limit access by client numbers, and their user profile ID matches their Sesame login set up on the Server Admin panel.  I see in the tutorial the @login option, and how to store passwords locally, but how do I use that login to limit searches to just records from a specific client number associated with that login? For example, login FF1 is limited to only accessing CltNo 3060;3141;3174.

2) As well, I would love to limit external IPs access -- is there a way to validate external IPs through a saved text file such as sesame_allow.txt?

3) Is there a simple way to log failed login attempts, or attempts from unauthorized IP addresses?

4) Lastly, I am not a very skilled web designer or developer (I can use Weebly or Wordpress to build HTML things) -- are there any security risks I should be concerned about, or could outside access be forced to pull consumer data from our database through a brute force login attempt, or circumventing the login process?

Thanks guys -- I just need a gentle prod in the right direction so I can start experimenting ...
  
Back to top
IP Logged
 
Ray the Reaper
Global Moderator
Members
Lantica Support
*****
Offline


The One & The Only

Posts: 2480
Joined: Aug 20th, 2003
Re: Web Server Security Code
Reply #1 - Jan 18th, 2018 at 4:31pm
Print Post Print Post  
I would recommend using the API to program the backend of an actual site instead of the built-in webserver.

This would allow you to do a lookup into a database based on the login to get what client numbers they are allowed to access.

Would also allow you to use a security certificate to better protect your data.

It would require having a server computer that would be a hosting computer running Apache or some other web server, that is accessible to the outside world and also has access to the Server running Sesame server(so that the API can connect to grab data)

-Ray
  

Raymond Yoxall Consulting
ray.yoxall@gmail.com
ryoxall@lantica.com
Sesame Applications, Design and Support
Back to top
IP Logged