Hey, i need help with something. I recently got a website together and have it so when you put /admin on the domain it will take you to the admin panel.
e.g www.yourdomain.com
www.yourdomain.com/admin
what i need help with is protect the /admin directory, so that you can only access it with a username and password.
It would be great if i can get help with this.
Thanks
Password Protect a Directory
Moderator: General Moderators
Re: Password Protect a Directory
Check for the existence of some session variable. If it's not there, present a login form. From here you can query a database, or just store a precomputed hash in a config file (obviously not very secure). If the credentials match, set aforementioned session variable and forward the user.
Re: Password Protect a Directory
The simplest way to protect a directory is by using the apache htpasswd. There are many tutorials on the web about how to set this up.
Sessions, which Celauran described, are more versitle and if set up correctly can be very secure.
Sessions, which Celauran described, are more versitle and if set up correctly can be very secure.
Re: Password Protect a Directory
Some possibilities, from easiest to most difficult:
If you have cPanel
Log into your cPanel, and under "Security" choose "Password Protect Directories"
It may pop up a dialog to choose which domain root, if you have just one domain mapped out, click OK
You will see a a treeview of your site, click on the directory name you want to protect. (in your case, "admin")
Mark the check box for "Password protect this directory", and below that give it some name (it will show up in the browsers password prompt).
Click SAVE. (then on confirmation page, click "Go Back")
In the bottom half, create a user and password. (there is even a secure password generator) Click Add/Modify User
You will get a confirmation page with the username and password, if you need to add more, click "Go Back"
Now on the editor page, you also have a list of users at the bottom, you can delete the user. As it says, if you want to change the password, just re-add it like you did the first time.
That simple! it takes care of the files for you!
No cPanel, and you don't have access to SSH (or you don't wanna mess with it)
Use the tools at Dynamic Drive: http://tools.dynamicdrive.com/password/
They have decent enough instructions there, so I'm not going to repeat them here.
You have SSH access and want to get your "hands dirty"
Change to the directory you want to protect.
Add an .htaccess file (or add to one that is there already):
"AuthName" can be what you want, it will show up in the login prompt for the browser
Make sure you use your actual path in front of .htpasswd.
While in that directory, issue the following command which will create the password file called .htpasswd and add the user myuser:
After you hit enter, you will be prompted to enter the password twice.
From then on out, now that the file .htpassword was created, you leave off the -c portion of the line (else it will create a new file wiping out any names already in it).
To change the password, just do steps like you are adding a new user. It will overwrite the old one with the new.
To delete a user, you have to delete the line from the file. Use something line nano to edit the file:here is what it looks like on one of my dev domains:
In nano, just put the cursor somewhere on the line that has the user to remove, and press CTRL-K (if you accidently did the wrong one, immediately do CTRL-U to paste the deleted line).
When done, do CTRL-X to quit and save it. You will get prompted "Save Modified Buffer", hit Y to save it, N if you want to just exit.
When you hit Y, it will prompt you for the name of the file to save as, defaulting to the one you opened, so just press ENTER to save back as same file
Note, if you need to, you are safe to change the username in this file (everything UP to colon), I would suggest keep it simple lowercase names.
Anyhow that is it. Your directory should be protected now.
So, now that you have the directory protected, what if you want to give your "master" user special priveleges? Some think that this is where you need to use a programmed login and store sessions... But, PHP has access to the Username AND password that you entered, from a var_dump of $_SERVER:
If you are uncomfortable with making a secure login system, you could then use these to validate the user against a database with permissions.
Hope this helps.
-Greg
PS, if you are looking for a random password generator, here is one I use (i like it has the option to not use similar characters, (ex i l 1 o 0 ) and can tell it to make a bunch at once if you are setting up multiple people at once http://www.pctools.com/guides/password/
If you have cPanel
Log into your cPanel, and under "Security" choose "Password Protect Directories"
It may pop up a dialog to choose which domain root, if you have just one domain mapped out, click OK
You will see a a treeview of your site, click on the directory name you want to protect. (in your case, "admin")
Mark the check box for "Password protect this directory", and below that give it some name (it will show up in the browsers password prompt).
Click SAVE. (then on confirmation page, click "Go Back")
In the bottom half, create a user and password. (there is even a secure password generator) Click Add/Modify User
You will get a confirmation page with the username and password, if you need to add more, click "Go Back"
Now on the editor page, you also have a list of users at the bottom, you can delete the user. As it says, if you want to change the password, just re-add it like you did the first time.
That simple! it takes care of the files for you!
No cPanel, and you don't have access to SSH (or you don't wanna mess with it)
Use the tools at Dynamic Drive: http://tools.dynamicdrive.com/password/
They have decent enough instructions there, so I'm not going to repeat them here.
You have SSH access and want to get your "hands dirty"
Change to the directory you want to protect.
Add an .htaccess file (or add to one that is there already):
Code: Select all
AuthType Basic
AuthName "Administration Area"
AuthUserFile "/path/to/public_html/admin/.htpasswd"
require valid-userMake sure you use your actual path in front of .htpasswd.
While in that directory, issue the following command which will create the password file called .htpasswd and add the user myuser:
Code: Select all
htpasswd -c .htpasswd myuserFrom then on out, now that the file .htpassword was created, you leave off the -c portion of the line (else it will create a new file wiping out any names already in it).
To change the password, just do steps like you are adding a new user. It will overwrite the old one with the new.
To delete a user, you have to delete the line from the file. Use something line nano to edit the file:
Code: Select all
nano .htpasswordCode: Select all
greg:$apr1$cJ84SvPC$ovs4ahB5fqFIXzni8KKJq.
kentpd:$apr1$yKnDRwcg$Mz3urO4eOCegdU4te33DH/When done, do CTRL-X to quit and save it. You will get prompted "Save Modified Buffer", hit Y to save it, N if you want to just exit.
When you hit Y, it will prompt you for the name of the file to save as, defaulting to the one you opened, so just press ENTER to save back as same file
Note, if you need to, you are safe to change the username in this file (everything UP to colon), I would suggest keep it simple lowercase names.
Anyhow that is it. Your directory should be protected now.
So, now that you have the directory protected, what if you want to give your "master" user special priveleges? Some think that this is where you need to use a programmed login and store sessions... But, PHP has access to the Username AND password that you entered, from a var_dump of $_SERVER:
Code: Select all
["PHP_AUTH_PW"]=>
string(11) "tempPass12#"
["PHP_AUTH_USER"]=>
string(4) "greg"Hope this helps.
-Greg
PS, if you are looking for a random password generator, here is one I use (i like it has the option to not use similar characters, (ex i l 1 o 0 ) and can tell it to make a bunch at once if you are setting up multiple people at once http://www.pctools.com/guides/password/