.htaccess problem

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
bladecatcher
Forum Commoner
Posts: 67
Joined: Sat Mar 12, 2005 12:50 am

.htaccess problem

Post by bladecatcher »

G'day All,
Hope this is the right place?

On my debian linux server.
I created a directory "secure"and added a .htaccess file like this
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /etc/apache/passwords
Require valid-user

added a few users to the passwords file using htpasswd, this seemed to work well. However a few days down the line and this directory is now no longer secure, anyone can access it without a password.

Perhaps I have changed some directive in httpd.conf , I can't recall this though???

Can anyone suggest a route to solving this?

Thanking you in advance,
bladecatcher
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

Post by thegreatone2176 »

you have
AuthUserFile /etc/apache/passwords

if you use .htpasswd like you said then you need

AuthUserFile /etc/apache/.htpasswd
bladecatcher
Forum Commoner
Posts: 67
Joined: Sat Mar 12, 2005 12:50 am

geeze thx

Post by bladecatcher »

G'day TG1,
Thank you for your reply!

are you saying to:

create a new password file named ".htpasswd" and edit the the .htaccess appropriately?

tia
blaadecatcher
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

Post by thegreatone2176 »

well in your first post you said

"added a few users to the passwords file using htpasswd"

and using htpasswd i assumed you meant .htpasswd because you cant really "use" it as far as i know except for that

i believe the best thing to do would be make .htpasswd and edit .htaccess to suit it because im not sure how you expected it to read

/etc/apache/passwords

because that seems like "passwords" is a directory unless you made it a file with no extension which would be really strange
bladecatcher
Forum Commoner
Posts: 67
Joined: Sat Mar 12, 2005 12:50 am

hmmm, confused

Post by bladecatcher »

hmmm, confused. Just looked at htpasswd man.

I used this:

htpasswd -c /etc/apache/passwords username

that creates a htpasswd file called "passwords" in /etc/apache/passwords with the user "username" in it.

added users using:

htpasswd /etc/apache/passwords username

checked the passwords file, it looks OK.

sorry am I getting confused here somewhere?

tia
bladecatcher
bladecatcher
Forum Commoner
Posts: 67
Joined: Sat Mar 12, 2005 12:50 am

Problem Solved, new problem arises.

Post by bladecatcher »

G'day All,
The problems was not with the .htaccess setup, that *is* as simple as it first appears in the apache docs. The only note I'd add to the docs at apache is the addition of using "AllowOverride AuthConfig" in your httpd.conf file.

My problem was totally unrelated to .htaccess in that the file from the .htaccess authorized directory was in an include in another php file. After being prompted for a password on the first access subsequent calls for the file are authorised as "php" then has authorisation.

Is there a method to "password" protect a document included by a php file?

Thanking you in advance,
bladecatcher
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

Post by thegreatone2176 »

well obvisouly you could make a login system of some sort and set a session value so if they havent logged in they cant view the page with the include or whatever it is you have
bladecatcher
Forum Commoner
Posts: 67
Joined: Sat Mar 12, 2005 12:50 am

Thanks again

Post by bladecatcher »

G'day TG1,
Thanks for reply.

Not all things are obvious to us newbies :-)

I've got "sessions" on my list to look at, I'll move it to the front, thx.

Any other things I should consider?

tia
bladecatcher
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

basically, thegreatone just told you the best way to do this... it's not that hard really..

example :

Code: Select all

<?php
session_start();
if(!isset($_POST['username']) || !isset($_POST['password']))
{
   echo 'You must enter a username and password to login!';
   exit;
}
$uname = $_POST['username'];
$pass = $_POST['password'];
$sql = mysql_query("Select * from users where username = '".$uname."' and password = '".$pass."'") or die(MySQL_Error());
$numfound = mysql_num_rows($sql);
if($numfound > 0)
{
   $_SESSION['passed'] = 'yes';
   echo 'You may now go to admin page by clicking <a href="mypage.php">this link</a>';
}
else
{
   echo 'User Not Found!';
   exit;
}
?>
then in any page you want to verify that the user is legit before you want them to be allowed to view the page, do something like this:

Code: Select all

<?php
session_start();
if($_SESSION['passed'] == 'yes')
{
   echo 'You successfully logged on!  Good job, now do your thing..';
}
else
{
   echo 'You are not authorized to view this page! '
   exit;
}
?>

of course there are some tweeks you could make to make this a lot more secure, but that's a pretty quick and simple way ...
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

Post by thegreatone2176 »

that is the more advanced way but the easier way to do it if you arent using a database is

Code: Select all

<?php
session_start();

if (!$_POST['pass'] && !$_SESSION['user']){
echo '<form action="" method="POST"><input type="text"        name="pass"><input type="submit"></form>';
die;
}

if (isset($_POST['pass'])){
if ($_POST['pass'] == "password you want"){
$_SESSION['user']="OK";
}else{
echo "wrong pass";
die;
}
}

?>
then after that put whatever you wanted authed users to view
bladecatcher
Forum Commoner
Posts: 67
Joined: Sat Mar 12, 2005 12:50 am

another Thanks

Post by bladecatcher »

Thank you both!

with your help I now have sessions working, very useful stuff.

cheers
bladecatcher
Post Reply