[Ldsoss] Scout Tracking - security

Mac Newbold mac at macnewbold.com
Wed Aug 23 01:49:50 EDT 2006 

Today at 11:07pm, Oscar Schultz said:

> The app should support winxx, mac, unix, linux and text (if possible). The app
> also must scale from localhost to intranet to internet. The app must also
> scale from a few users up to several hundred or more concurrent users.
> Security of data is more important than speed or user ease of use. The app
> should also require the minimum software installs on the user's machine and
> add no additional security risks for the users.
>
> As I have reviewed the various requirements and options basing app on the web
> is the best option I see. Feel free to make your suggestions.

I 100% agree with that conclusion. I'm glad I'm not the only one who feels 
that way.

> That leaves php or perl unless someone knows some really cool c and c++
> tricks.

For a web-based application, PHP is far ahead of perl.

> That still leaves the problem of how to secure the app and make some of the
> user information persistant - no one wants to enter their userid and password
> on every form. Cookies and hidden data fields seem to be the only real
> option. What are the other options? I have considered having one user enter
> the data and a second confirm the data. Right now cookies still look like the
> best option.

I would highly recommend using PHP Sessions for this. They're incredibly 
easy to use, easier to secure, and very widely used for this purpose. 
They're based on cookies underneath, but PHP takes care of all the details 
for you.

I do PHP+MySQL development day in and day out, and have been doing so for 
several years now, so if I can be of any assistance in finding good 
solutions to the problems you'll run into, please let me know.

>> The key is that if you don't *really* have to be web-accessible, then
>> don't.

I think this is one case where web-accessible makes the most sense. By a 
landslide in my opinion.

People have brought up several desirable qualities: all leaders and 
parents can get at the data at any time, data stays when scoutmaster 
leaves, and many others. Those alone are just screaming for a web-based 
application. Anything installed on the scoutmasters computer is 
automatically out, cause it doesn't meet those requirements. Something 
installed on the ward computer _could_ meet those, but not the "at any 
time" part, and definitely not easily due to many demands on that one. Not 
to mention that church policy might not like random third-party apps, and 
random scout parents, on a computer that is supposed to be kept as secure 
as possible.

Despite all the security concerns that have been expressed, a web 
application is the best way to solve this problem. Is it a perfect 
solution? No, but neither is anything else, and it comes closer than all 
the rest to meeting all the requirements/desires.

As was stated so nicely, let the more security conscious people fork if 
they want, but if you build it, they will come. If the system is good and 
useful and reasonably secure, it will draw plenty of interest and support. 
We can't let ourselves be unreasonably held hostage by security fears. The 
benefits and the risks must be weighed and a balance found between the 
paranoid and the security-ignorant solutions.

Keep up the great work, Oscar!

Thanks,
Mac

--
Mac Newbold			Code Greene, LLC
 				1440 S. Foothill Dr. Suite #250
Office:	801-438-0142		Salt Lake City, UT  84108
Cell:	801-694-6334		www.codegreene.com

More information about the Ldsoss mailing list