Directory password protection broke

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Directory password protection broke

Post by rhecker »

I created a CMS for a client and password protected the administration directory using an applet my shared webhost (network solutions) provides for managing password access to directories. For the most part this has worked fine, but a couple of times the password protection has simply disappeared, and I can't reactivate it myself. I have to ask the webhost staff to fix it. The fact that the "locked door" became inexplicably unlocked is not acceptable, so I am looking for the best alternate soltion for protecting a single directory.

I can't use the apache htpasswd because I don't have that level of access. I assume that the applet networksolutions provides is like a graphical interface for htpasswd.

Would it be better to use sessions in the php files? I know there are several options for doing this, so I am asking what people consider the best as far as both security and managability.

Thanks
phpnewbie_101
Forum Newbie
Posts: 5
Joined: Fri Jun 18, 2010 1:09 pm

Re: Directory password protection broke

Post by phpnewbie_101 »

Hi,

This is fairly trivial question so hopefully I can answer (even though I am a newbie).

First, are you sure that the "password protection disappears"? See http://en.wikipedia.org/wiki/Basic_acce ... entication disadvantages section. I use Firefox normally, then when I want to test if HTTP Auth is really working I start up IE just to see if the password prompt really appears. Or I use Firefox plugin to clear cache.

Second, since you are asking about PHP sessions I am assuming you do not know much about them. All that can be said about them in one sentence is if you don't know much about them, don't use them because it is insecure and will take months for you to learn enough to make even a semi-secure application. For example to ensure sufficiently random session identifier to prevent session hijacking, you need low level access to php.ini (which I assume you do not have since you can't even get .htpasswd working) or truly random devices like /dev/random (which again you don't have). That is only one problem of many which exist using sessions especially on shared webhost. Also sessions are for keeping states between pages. So yes they can be used to password protect a directory but it is a poor return on time investment, unless you want to recode entire application to use sessions.

Hope it helps!
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Directory password protection broke

Post by rhecker »

Thanks for your response.

Yes, the password protection really does disappear. It isn't a browser issue. And someone actually got in and did damage.

Because my shared hosting account allows multiple php.ini files. I do have access to it. I can also put files below the root, of course.

I use sessions to manage language choice on my multi-language websites. Besides sessions and the server password option that isn't really working, I'm not sure what options there are. That's why I'm asking the question.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Directory password protection broke

Post by kaisellgren »

I don't know what that applet is, but can't you protect your administration area with PHP or at least create a .htaccess with BasicAuth?
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Directory password protection broke

Post by rhecker »

I didn't realize that I could run htpasswd on my local webserver and upload the resulting file to the shared host. Since the webhost provided an applet to create directory protection, I just always used that. So I'm glad to have control over this myself.

Thanks for resposes.
Post Reply