Okay, I've been developing a web site for a club that I belong to. Since it is a free job, I haven't been real motivated to implement all the ideas I have for it. Now, it's time to take it to the next level, but I'm concerned about security. So far, the site has some dynamic attributes like a mysql driven photo album complete with editible captions. The captions are edited by two or three of us that have http access and a special cookie on our computers. That is the extent of the security. There is virtually no personally identifiable info on the site, but I'm wanting to implement a user profile area with contact info (no financial info) that is only available to members. I know how to program in PHP using sessions, cookies and http and I'm comfortable with programming with globals off. I don't know if I want to pay any more money for a SSL. From all the articles that I've read on the net, the consensus seems to be "no personally identifiable info-- OR SSL certs are a must!" There seems to be no middle ground. I'd like to hear what some of WHT's security experts have to say about it. How difficult is it to hack a site using a listener (I know nothing about them)? I mean, I have tons of personally identifiable info in my home and an experienced theif could gain entrance in less than 30 seconds. The prize, contact info, and gaining access to member only areas where they could create a dynamic page (invitation page, classified ad, forum access etc) doesn't seem worth the trouble of hacking a site. Also, what if I used some kind of Java Applet installed via email to identify members? Sorry for the wordiness. I hope my questions are clear enough.
