Page 1 of 1
.htaccess problem
Posted: Sun Mar 13, 2005 8:33 pm
by bladecatcher
G'day All,
Hope this is the right place?
On my debian linux server.
I created a directory "secure"and added a .htaccess file like this
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /etc/apache/passwords
Require valid-user
added a few users to the passwords file using htpasswd, this seemed to work well. However a few days down the line and this directory is now no longer secure, anyone can access it without a password.
Perhaps I have changed some directive in httpd.conf , I can't recall this though???
Can anyone suggest a route to solving this?
Thanking you in advance,
bladecatcher
Posted: Mon Mar 14, 2005 7:49 pm
by thegreatone2176
you have
AuthUserFile /etc/apache/passwords
if you use .htpasswd like you said then you need
AuthUserFile /etc/apache/.htpasswd
geeze thx
Posted: Mon Mar 14, 2005 7:59 pm
by bladecatcher
G'day TG1,
Thank you for your reply!
are you saying to:
create a new password file named ".htpasswd" and edit the the .htaccess appropriately?
tia
blaadecatcher
Posted: Mon Mar 14, 2005 9:54 pm
by thegreatone2176
well in your first post you said
"added a few users to the passwords file using htpasswd"
and using htpasswd i assumed you meant .htpasswd because you cant really "use" it as far as i know except for that
i believe the best thing to do would be make .htpasswd and edit .htaccess to suit it because im not sure how you expected it to read
/etc/apache/passwords
because that seems like "passwords" is a directory unless you made it a file with no extension which would be really strange
hmmm, confused
Posted: Mon Mar 14, 2005 10:16 pm
by bladecatcher
hmmm, confused. Just looked at htpasswd man.
I used this:
htpasswd -c /etc/apache/passwords username
that creates a htpasswd file called "passwords" in /etc/apache/passwords with the user "username" in it.
added users using:
htpasswd /etc/apache/passwords username
checked the passwords file, it looks OK.
sorry am I getting confused here somewhere?
tia
bladecatcher
Problem Solved, new problem arises.
Posted: Wed Mar 16, 2005 8:58 am
by bladecatcher
G'day All,
The problems was not with the .htaccess setup, that *is* as simple as it first appears in the apache docs. The only note I'd add to the docs at apache is the addition of using "AllowOverride AuthConfig" in your httpd.conf file.
My problem was totally unrelated to .htaccess in that the file from the .htaccess authorized directory was in an include in another php file. After being prompted for a password on the first access subsequent calls for the file are authorised as "php" then has authorisation.
Is there a method to "password" protect a document included by a php file?
Thanking you in advance,
bladecatcher
Posted: Wed Mar 16, 2005 3:20 pm
by thegreatone2176
well obvisouly you could make a login system of some sort and set a session value so if they havent logged in they cant view the page with the include or whatever it is you have
Thanks again
Posted: Wed Mar 16, 2005 3:31 pm
by bladecatcher
G'day TG1,
Thanks for reply.
Not all things are obvious to us newbies
I've got "sessions" on my list to look at, I'll move it to the front, thx.
Any other things I should consider?
tia
bladecatcher
Posted: Wed Mar 16, 2005 3:59 pm
by infolock
basically, thegreatone just told you the best way to do this... it's not that hard really..
example :
Code: Select all
<?php
session_start();
if(!isset($_POST['username']) || !isset($_POST['password']))
{
echo 'You must enter a username and password to login!';
exit;
}
$uname = $_POST['username'];
$pass = $_POST['password'];
$sql = mysql_query("Select * from users where username = '".$uname."' and password = '".$pass."'") or die(MySQL_Error());
$numfound = mysql_num_rows($sql);
if($numfound > 0)
{
$_SESSION['passed'] = 'yes';
echo 'You may now go to admin page by clicking <a href="mypage.php">this link</a>';
}
else
{
echo 'User Not Found!';
exit;
}
?>
then in any page you want to verify that the user is legit before you want them to be allowed to view the page, do something like this:
Code: Select all
<?php
session_start();
if($_SESSION['passed'] == 'yes')
{
echo 'You successfully logged on! Good job, now do your thing..';
}
else
{
echo 'You are not authorized to view this page! '
exit;
}
?>
of course there are some tweeks you could make to make this a lot more secure, but that's a pretty quick and simple way ...
Posted: Wed Mar 16, 2005 5:43 pm
by thegreatone2176
that is the more advanced way but the easier way to do it if you arent using a database is
Code: Select all
<?php
session_start();
if (!$_POST['pass'] && !$_SESSION['user']){
echo '<form action="" method="POST"><input type="text" name="pass"><input type="submit"></form>';
die;
}
if (isset($_POST['pass'])){
if ($_POST['pass'] == "password you want"){
$_SESSION['user']="OK";
}else{
echo "wrong pass";
die;
}
}
?>
then after that put whatever you wanted authed users to view
another Thanks
Posted: Sat Mar 19, 2005 12:21 am
by bladecatcher
Thank you both!
with your help I now have sessions working, very useful stuff.
cheers
bladecatcher