.htaccess problem
Moderator: General Moderators
-
bladecatcher
- Forum Commoner
- Posts: 67
- Joined: Sat Mar 12, 2005 12:50 am
.htaccess problem
G'day All,
Hope this is the right place?
On my debian linux server.
I created a directory "secure"and added a .htaccess file like this
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /etc/apache/passwords
Require valid-user
added a few users to the passwords file using htpasswd, this seemed to work well. However a few days down the line and this directory is now no longer secure, anyone can access it without a password.
Perhaps I have changed some directive in httpd.conf , I can't recall this though???
Can anyone suggest a route to solving this?
Thanking you in advance,
bladecatcher
Hope this is the right place?
On my debian linux server.
I created a directory "secure"and added a .htaccess file like this
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /etc/apache/passwords
Require valid-user
added a few users to the passwords file using htpasswd, this seemed to work well. However a few days down the line and this directory is now no longer secure, anyone can access it without a password.
Perhaps I have changed some directive in httpd.conf , I can't recall this though???
Can anyone suggest a route to solving this?
Thanking you in advance,
bladecatcher
-
thegreatone2176
- Forum Contributor
- Posts: 102
- Joined: Sun Jul 11, 2004 1:27 pm
-
bladecatcher
- Forum Commoner
- Posts: 67
- Joined: Sat Mar 12, 2005 12:50 am
geeze thx
G'day TG1,
Thank you for your reply!
are you saying to:
create a new password file named ".htpasswd" and edit the the .htaccess appropriately?
tia
blaadecatcher
Thank you for your reply!
are you saying to:
create a new password file named ".htpasswd" and edit the the .htaccess appropriately?
tia
blaadecatcher
-
thegreatone2176
- Forum Contributor
- Posts: 102
- Joined: Sun Jul 11, 2004 1:27 pm
well in your first post you said
"added a few users to the passwords file using htpasswd"
and using htpasswd i assumed you meant .htpasswd because you cant really "use" it as far as i know except for that
i believe the best thing to do would be make .htpasswd and edit .htaccess to suit it because im not sure how you expected it to read
/etc/apache/passwords
because that seems like "passwords" is a directory unless you made it a file with no extension which would be really strange
"added a few users to the passwords file using htpasswd"
and using htpasswd i assumed you meant .htpasswd because you cant really "use" it as far as i know except for that
i believe the best thing to do would be make .htpasswd and edit .htaccess to suit it because im not sure how you expected it to read
/etc/apache/passwords
because that seems like "passwords" is a directory unless you made it a file with no extension which would be really strange
-
bladecatcher
- Forum Commoner
- Posts: 67
- Joined: Sat Mar 12, 2005 12:50 am
hmmm, confused
hmmm, confused. Just looked at htpasswd man.
I used this:
htpasswd -c /etc/apache/passwords username
that creates a htpasswd file called "passwords" in /etc/apache/passwords with the user "username" in it.
added users using:
htpasswd /etc/apache/passwords username
checked the passwords file, it looks OK.
sorry am I getting confused here somewhere?
tia
bladecatcher
I used this:
htpasswd -c /etc/apache/passwords username
that creates a htpasswd file called "passwords" in /etc/apache/passwords with the user "username" in it.
added users using:
htpasswd /etc/apache/passwords username
checked the passwords file, it looks OK.
sorry am I getting confused here somewhere?
tia
bladecatcher
-
bladecatcher
- Forum Commoner
- Posts: 67
- Joined: Sat Mar 12, 2005 12:50 am
Problem Solved, new problem arises.
G'day All,
The problems was not with the .htaccess setup, that *is* as simple as it first appears in the apache docs. The only note I'd add to the docs at apache is the addition of using "AllowOverride AuthConfig" in your httpd.conf file.
My problem was totally unrelated to .htaccess in that the file from the .htaccess authorized directory was in an include in another php file. After being prompted for a password on the first access subsequent calls for the file are authorised as "php" then has authorisation.
Is there a method to "password" protect a document included by a php file?
Thanking you in advance,
bladecatcher
The problems was not with the .htaccess setup, that *is* as simple as it first appears in the apache docs. The only note I'd add to the docs at apache is the addition of using "AllowOverride AuthConfig" in your httpd.conf file.
My problem was totally unrelated to .htaccess in that the file from the .htaccess authorized directory was in an include in another php file. After being prompted for a password on the first access subsequent calls for the file are authorised as "php" then has authorisation.
Is there a method to "password" protect a document included by a php file?
Thanking you in advance,
bladecatcher
-
thegreatone2176
- Forum Contributor
- Posts: 102
- Joined: Sun Jul 11, 2004 1:27 pm
-
bladecatcher
- Forum Commoner
- Posts: 67
- Joined: Sat Mar 12, 2005 12:50 am
Thanks again
G'day TG1,
Thanks for reply.
Not all things are obvious to us newbies
I've got "sessions" on my list to look at, I'll move it to the front, thx.
Any other things I should consider?
tia
bladecatcher
Thanks for reply.
Not all things are obvious to us newbies
I've got "sessions" on my list to look at, I'll move it to the front, thx.
Any other things I should consider?
tia
bladecatcher
basically, thegreatone just told you the best way to do this... it's not that hard really..
example :
then in any page you want to verify that the user is legit before you want them to be allowed to view the page, do something like this:
of course there are some tweeks you could make to make this a lot more secure, but that's a pretty quick and simple way ...
example :
Code: Select all
<?php
session_start();
if(!isset($_POST['username']) || !isset($_POST['password']))
{
echo 'You must enter a username and password to login!';
exit;
}
$uname = $_POST['username'];
$pass = $_POST['password'];
$sql = mysql_query("Select * from users where username = '".$uname."' and password = '".$pass."'") or die(MySQL_Error());
$numfound = mysql_num_rows($sql);
if($numfound > 0)
{
$_SESSION['passed'] = 'yes';
echo 'You may now go to admin page by clicking <a href="mypage.php">this link</a>';
}
else
{
echo 'User Not Found!';
exit;
}
?>Code: Select all
<?php
session_start();
if($_SESSION['passed'] == 'yes')
{
echo 'You successfully logged on! Good job, now do your thing..';
}
else
{
echo 'You are not authorized to view this page! '
exit;
}
?>of course there are some tweeks you could make to make this a lot more secure, but that's a pretty quick and simple way ...
-
thegreatone2176
- Forum Contributor
- Posts: 102
- Joined: Sun Jul 11, 2004 1:27 pm
that is the more advanced way but the easier way to do it if you arent using a database is
then after that put whatever you wanted authed users to view
Code: Select all
<?php
session_start();
if (!$_POST['pass'] && !$_SESSION['user']){
echo '<form action="" method="POST"><input type="text" name="pass"><input type="submit"></form>';
die;
}
if (isset($_POST['pass'])){
if ($_POST['pass'] == "password you want"){
$_SESSION['user']="OK";
}else{
echo "wrong pass";
die;
}
}
?>-
bladecatcher
- Forum Commoner
- Posts: 67
- Joined: Sat Mar 12, 2005 12:50 am
another Thanks
Thank you both!
with your help I now have sessions working, very useful stuff.
cheers
bladecatcher
with your help I now have sessions working, very useful stuff.
cheers
bladecatcher