473,320 Members | 1,950 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Passwd protection

I am not a webmaster or very web savvy. I have a hosted site on
Verio.com that has only a very limited password protection feature. I
need to password protect subscriber pages (or a directory) and need a
user friendly tool to automatically accept subscriber designated
userID's and passwds. I've heard that Java scripts are not usable by
all browsers. Apparently I am allowed to install a script on the
Verio.com server for our account which resides on Unix. I'd like a
simple windows interface that will also cut us an email when someone
subscribes. We're working w/2co.com as the payment gateway. I'm over
my head here and need some good advice. Thanks.

Ca***********@yahoo.com
Jul 20 '05 #1
7 2124
Sandy wrote in
<df*************************@posting.google.com>
I am not a webmaster or very web savvy. I have a hosted site on
Verio.com that has only a very limited password protection feature. I
need to password protect subscriber pages (or a directory) and need a
user friendly tool to automatically accept subscriber designated
userID's and passwds. I've heard that Java scripts are not usable by
all browsers. Apparently I am allowed to install a script on the
Verio.com server for our account which resides on Unix. I'd like a
simple windows interface that will also cut us an email when someone
subscribes. We're working w/2co.com as the payment gateway. I'm over
my head here and need some good advice. Thanks.


There's .htaccess - it's very simple.

Four lines in the .htaccess file:

AuthName "Section Name"
AuthType Basic
AuthUserFile /full/path/to/.htpasswd
Require valid-user

and a file - .htpasswd - containing passwords and IDs:

username1:password1
username2:password2
....

That protects everything below the directory in which the .htaccess file is
located.

Info: http://www.freewebmasterhelp.com/tutorials/htaccess/3

Password generator:
http://www.euronet.nl/~arnow/htpasswd/
--
PeterMcC
If you feel that any of the above is incorrect,
inappropriate or offensive in any way,
please ignore it and accept my apologies.

Jul 20 '05 #2
PeterMcC said the following on 02/08/2004 19:32:
and a file - .htpasswd - containing passwords and IDs:

username1:password1
username2:password2
...

That protects everything below the directory in which the .htaccess file is
located.

Info: http://www.freewebmasterhelp.com/tutorials/htaccess/3


It is suggested in the tutorial, just want to stress this:

Don't put the .htpasswd file in the DocumentRoot. If you do, the file
can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through password
files.

By the way, when using Basic Authentication, the passwords are send over
the line in plain ASCII and can be sniffed, so this is not very secure.

You should probably read something like this if you want to use
..htaccess/.htpasswd:

http://httpd.apache.org/docs/howto/auth.html

Regards,
Harrie
Jul 20 '05 #3
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the file
can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through password
files.


Not if you set your server up correctly, unless I'm missing something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
Jul 20 '05 #4
Mark Tranchant said the following on 03/08/2004 09:03:
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the file
can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through password
files.


Not if you set your server up correctly, unless I'm missing something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


I have to admit your right, but this wasn't mentioned in the URL you
gave and I didn't think about it myself. Still, I would recommend
against it (but that's just an opinion); one central place for
configuration outside the DocumentRoot is less prone to errors. However,
since this is a hosted site, this isn't probably an option for the op.

Regards,
Harrie
Jul 20 '05 #5
Harrie wrote in
<41***********************@news.xs4all.nl>
Mark Tranchant said the following on 03/08/2004 09:03:
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the
file can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through
password files.


Not if you set your server up correctly, unless I'm missing
something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


I have to admit your right, but this wasn't mentioned in the URL you
gave


I only mention this to avoid having Mr Tranchant's spotless reputation being
sullied by any possible confusion between his good self and me.

I posted the URL, you have to admit Mark's right :)

--
PeterMcC
If you feel that any of the above is incorrect,
inappropriate or offensive in any way,
please ignore it and accept my apologies.

Jul 20 '05 #6
Mark Tranchant wrote:
Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the
file can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through
password files.


Not if you set your server up correctly, unless I'm missing
something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


That's true. But when I setup something like this, I prefer to take
extra precautions. I'd protect .htaccess as you've done[1], but I'd also
move .htpasswd outside the document root.

[1] Except that I use <FilesMatch> instead of <Files>.

--
Brian (remove ".invalid" to email me)
http://www.tsmchughs.com/
Jul 20 '05 #7
PeterMcC said the following on 03/08/2004 14:06:
Harrie wrote in
<41***********************@news.xs4all.nl>
Mark Tranchant said the following on 03/08/2004 09:03:

Harrie wrote:
Don't put the .htpasswd file in the DocumentRoot. If you do, the
file can be viewed and/or downloaded and although the passwords are
encrypted, there are muny tools which crack there way through
password files.

Not if you set your server up correctly, unless I'm missing
something:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


I have to admit your right, but this wasn't mentioned in the URL you
gave

I only mention this to avoid having Mr Tranchant's spotless reputation being
sullied by any possible confusion between his good self and me.

I posted the URL, you have to admit Mark's right :)


Whoops, you're right .. and so is Mark ;)

Regards,
Harrie
Jul 20 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: dave | last post by:
Hello, I've got a php script that is trying to authenticate a user against a rh9 /etc/passwd file. The passwd file has permissions of 444 but when i try to log in i am being redirected to my error...
1
by: Kempniu | last post by:
Hi there, I was wondering how do all the "free web space" services etc. work - when one fills in a form, he/she is automatically added to the system's userlist. How does this work? I mean, how...
9
by: Howard | last post by:
I am currently looking at the various packages that are available for software protection. I have a particular question that I'd welcome your feedback on. Background info: I work for a company...
0
by: SoftComplete Development | last post by:
SoftComplete Development Updates EXECryptor to v. 2.1.20 Software piracy! Cracked serial numbers! Thousands of commercial products are posted on the warez sites and become available to all who...
0
by: Greg Patnude | last post by:
From: "Greg Patnude" <gpatnude@hotmail.com> Subject: pg_shadow --> passwd Date: Monday, October 13, 2003 6:04 PM Is there a way to "decrypt" a database users passwd stored in pg_shadow ??? my...
3
by: Tony Hunter | last post by:
Hello, I am trying to automatically login to websites after I have used SSO to get the credentials. For my test, I am working with my Yahoo account. The code that I am using is code that many...
3
by: Rocky Zhou | last post by:
Today I found a problem, when I wrote a section of PHP code like this: <?php $fp = fopen("/etc/passwd","r"); if($fp) { echo 'ok!'; $result = fread($fp, 8192); return $result;
8
by: sathyashrayan | last post by:
Dear group, For a log-in page I have created a mysql db and user registers with a user name and password. The password field is encrypted with $passwd = sha1($_REQUEST); I insert the...
2
by: aliwarid | last post by:
Hi All, Can any one tell me how can i make changes in /etc/passwd file ? Is it right way to make changes with "vi" command in solaris ? Or Is there any other procedure or command like for LOCKING...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.