By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,676 Members | 1,763 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,676 IT Pros & Developers. It's quick & easy.

Passwd protection

P: n/a
I am not a webmaster or very web savvy. I have a hosted site on
Verio.com that has only a very limited password protection feature. I
need to password protect subscriber pages (or a directory) and need a
user friendly tool to automatically accept subscriber designated
userID's and passwds. I've heard that Java scripts are not usable by
all browsers. Apparently I am allowed to install a script on the
Verio.com server for our account which resides on Unix. I'd like a
simple windows interface that will also cut us an email when someone
subscribes. We're working w/2co.com as the payment gateway. I'm over
my head here and need some good advice. Thanks.

Ca***********@yahoo.com
Jul 20 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Sandy wrote in
<df*************************@posting.google.com>
I am not a webmaster or very web savvy. I have a hosted site on
Verio.com that has only a very limited password protection feature. I
need to password protect subscriber pages (or a directory) and need a
user friendly tool to automatically accept subscriber designated
userID's and passwds. I've heard that Java scripts are not usable by
all browsers. Apparently I am allowed to install a script on the
Verio.com server for our account which resides on Unix. I'd like a
simple windows interface that will also cut us an email when someone
subscribes. We're working w/2co.com as the payment gateway. I'm over
my head here and need some good advice. Thanks.


There's .htaccess - it's very simple.

Four lines in the .htaccess file:

AuthName "Section Name"
AuthType Basic
AuthUserFile /full/path/to/.htpasswd
Require valid-user

and a file - .htpasswd - containing passwords and IDs:

username1:password1
username2:password2
....

That protects everything below the directory in which the .htaccess file is
located.

Info: http://www.freewebmasterhelp.com/tutorials/htaccess/3

Password generator:
http://www.euronet.nl/~arnow/htpasswd/
--
PeterMcC
If you feel that any of the above is incorrect,
inappropriate or offensive in any way,
please ignore it and accept my apologies.

Jul 20 '05 #2

P: n/a
PeterMcC said the following on 02/08/2004 19:32:
and a file - .htpasswd - containing passwords and IDs:

username1:password1
username2:password2
...

That protects everything below the directory in which the .htaccess file is
located.

Info: http://www.freewebmasterhelp.com/tutorials/htaccess/3


It is suggested in the tutorial, just want to stress this:

Don't put the .htpasswd file in the DocumentRoot. If you do, the file
can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through password
files.

By the way, when using Basic Authentication, the passwords are send over
the line in plain ASCII and can be sniffed, so this is not very secure.

You should probably read something like this if you want to use
..htaccess/.htpasswd:

http://httpd.apache.org/docs/howto/auth.html

Regards,
Harrie
Jul 20 '05 #3

P: n/a
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the file
can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through password
files.


Not if you set your server up correctly, unless I'm missing something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
Jul 20 '05 #4

P: n/a
Mark Tranchant said the following on 03/08/2004 09:03:
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the file
can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through password
files.


Not if you set your server up correctly, unless I'm missing something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


I have to admit your right, but this wasn't mentioned in the URL you
gave and I didn't think about it myself. Still, I would recommend
against it (but that's just an opinion); one central place for
configuration outside the DocumentRoot is less prone to errors. However,
since this is a hosted site, this isn't probably an option for the op.

Regards,
Harrie
Jul 20 '05 #5

P: n/a
Harrie wrote in
<41***********************@news.xs4all.nl>
Mark Tranchant said the following on 03/08/2004 09:03:
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the
file can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through
password files.


Not if you set your server up correctly, unless I'm missing
something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


I have to admit your right, but this wasn't mentioned in the URL you
gave


I only mention this to avoid having Mr Tranchant's spotless reputation being
sullied by any possible confusion between his good self and me.

I posted the URL, you have to admit Mark's right :)

--
PeterMcC
If you feel that any of the above is incorrect,
inappropriate or offensive in any way,
please ignore it and accept my apologies.

Jul 20 '05 #6

P: n/a
Mark Tranchant wrote:
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the
file can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through
password files.


Not if you set your server up correctly, unless I'm missing
something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


That's true. But when I setup something like this, I prefer to take
extra precautions. I'd protect .htaccess as you've done[1], but I'd also
move .htpasswd outside the document root.

[1] Except that I use <FilesMatch> instead of <Files>.

--
Brian (remove ".invalid" to email me)
http://www.tsmchughs.com/
Jul 20 '05 #7

P: n/a
PeterMcC said the following on 03/08/2004 14:06:
Harrie wrote in
<41***********************@news.xs4all.nl>
Mark Tranchant said the following on 03/08/2004 09:03:

Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the
file can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through
password files.

Not if you set your server up correctly, unless I'm missing
something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


I have to admit your right, but this wasn't mentioned in the URL you
gave

I only mention this to avoid having Mr Tranchant's spotless reputation being
sullied by any possible confusion between his good self and me.

I posted the URL, you have to admit Mark's right :)


Whoops, you're right .. and so is Mark ;)

Regards,
Harrie
Jul 20 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.