Idea to protect and limit ethernet server access

I have started a home automation system with a Mega and Ethernet shield.

With the kind assistance and guidance of zoomkat, I have the ethernet server working just as I want it.

My only concern is that anyone could (probably accidentally) connect to my served page and use the served web page to adjust settings to the home system and alarm / intruder detection system.

My thoughts to prevent this are :

1. declare a variable $passID
2. when first serving up the page, if $passID is empty, display only a textbox (type = password) and a submit button.
3. if the server receives a value from the password textbox, check that it is valid ( to a hard coded value on the server ).
4. if valid, assign the current millis value to $passID, and display the full page (list of controls), and prepend the $passID to all the link values.
5. if a link is received, check that the $passID (in the link) exists as a valid issued ID, and that the ID is not older than, say, 5 minutes (millis + 5 min), and perform the operation relevant to the link.
6. if the textbox is empty, or not a valid password, or $passID is older than 5 minutes, then re-display the password textbox and submit button.

Any obvious flaws or oversights ?

Any obvious flaws or oversights ?

Sounds good to me. 5 minutes might be a bit short, though.

Maybe I should reduce the time to 2 minutes, but re-start the countdown every time the user accesses the page. that way it will remain alive until the user has not interacted for 2 minutes.

Any suggestion on what variable type to use to store the variables for each connection : $Pass_Millis_Start and $Pass_Millis_Last ? There could be any number of combinations.

I think the ethernet shield can only accept 4 connections at a time (?) but I can't limit to 4 variables. For example, lets say that my phone's internet connection keeps dropping after I submit the password, and I don't get the reply page that contains the $passID values, I would try to connect again. This would create another $Pass_Millis_Start and $Pass_Millis_Last.

Any suggestion on what variable type to use to store the variables for each connection : $Pass_Millis_Start and $Pass_Millis_Last ? There could be any number of combinations.

You won't be using $ as part of the variable name on the Arduino, so I'd recommend dropping it now.

The values will be passed back and forth as strings. The values in the strings need to be converted to numbers in order to compare them. They will be unsigned longs in the first place, so that seems to pretty well dictate the type.

I think the ethernet shield can only accept 4 connections at a time (?)

True.

but I can't limit to 4 variables.

I don't see the connection. Each request that arrives has, or does not have, a timestamp. If it does, you do one thing. If it doesn't, you do something else.

If it has a "current" time stamp, you do one thing. If not, you do something else.

For example, lets say that my phone's internet connection keeps dropping after I submit the password, and I don't get the reply page that contains the $passID values, I would try to connect again. This would create another $Pass_Millis_Start and $Pass_Millis_Last.

It would create, send, and forget all about the Pass_Millis_Start value. It would get, or not, a valid, or not, Pass_Millis_Last value from the client that is trying to send it information.

The Arduino does not need to ever remember that is has seen a client before, or when it last saw that client.