Cash reward for a secure PHP page!

Rodolfo J. Paiz rpaiz at simpaticus.com
Sun Nov 7 00:02:40 UTC 2004


Hi, everyone:

A client of mine has an internal website which will use PHP, Apache, and
Fedora. It is served only over HTTPS, specifically for the needs of a
few users, each of which has a username and password. However, they do
not want to rely on .htaccess files only; they want each page to check
session validity so they can have time-outs and stuff.

Since I do not have the skills to do this, but they are good clients of
mine, I am offering a cash reward (amount negotiable... I was thinking
of US$100...) for code which does this. I will proceed to license this
code under the GPL and publicly post a HOWTO on my site on how to use it
along with the entire code. So anyone who helps me is going to be
helping quite a few other people too.

Here's what my customer wants:

My customer wants PHP code that can be added to each and every page on
the site and which should then:

  1. Check for an established session (by whatever means... a file on
the server or a cookie on the client), and if a session is found then
the content of that page should be displayed.

  2. If a valid session is not found, either because the user has not
logged in or because the session has timed out, then the page should
display only a request for the user's credentials.

  3. If valid credentials are supplied, then the page should reload
(which will display the contents since there is now a valid session).

That is all the functionality required, although of course there are
some additional conditions:

  1. The user's credentials should be stored in some reasonably-secure
and reasonably-scalable fashion. I do not have the knowledge to
determine whether an htaccess file will work well enough or whether
using a database is recommended. There are just over 100 users and *no*
growth is projected. However, note that most content on this site will
be database-driven so adding another table theoretically should not be a
problem.

  2. Their current (and limited!) knowledge is of MySQL although they
are contemplating a move to PostgreSQL. So code which talks to the
database, if any, should be properly abstracted into a separate function
to ease migration headaches.

  3. The code should be clean, clear, well-written, and well-documented,
easy for others to understand and modify. Variables should be clearly
named.

  4. MOST IMPORTANT of all, the code should be "securely written", which
they understand to mean idiot-proof, tamper-proof, and carefully
checking for the possibility of buffer overflows or exploits. After all,
the point is to increase security, and if the code is exploitable they
have less than nothing.

----------

Anyone interested, please contact me off-list! I will select the best
submission offered and negotiate the reward individually. Reward will be
paid if/when submission is adequate to my satisfaction (of course,
nothing will be used without permission and payment).

Hopefully this way someone gets paid to do the entire Linux world a
small favor. If you know anyone not on these lists who might be
interested, forward this email to them please.

Cheers,

-- 
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041106/e1fab0e3/attachment.sig>


More information about the fedora-test-list mailing list