Page 1 of 1
Directory password protection broke
Posted: Wed Jun 23, 2010 9:04 pm
by rhecker
I created a CMS for a client and password protected the administration directory using an applet my shared webhost (network solutions) provides for managing password access to directories. For the most part this has worked fine, but a couple of times the password protection has simply disappeared, and I can't reactivate it myself. I have to ask the webhost staff to fix it. The fact that the "locked door" became inexplicably unlocked is not acceptable, so I am looking for the best alternate soltion for protecting a single directory.
I can't use the apache htpasswd because I don't have that level of access. I assume that the applet networksolutions provides is like a graphical interface for htpasswd.
Would it be better to use sessions in the php files? I know there are several options for doing this, so I am asking what people consider the best as far as both security and managability.
Thanks
Re: Directory password protection broke
Posted: Thu Jun 24, 2010 12:29 pm
by phpnewbie_101
Hi,
This is fairly trivial question so hopefully I can answer (even though I am a newbie).
First, are you sure that the "password protection disappears"? See
http://en.wikipedia.org/wiki/Basic_acce ... entication disadvantages section. I use Firefox normally, then when I want to test if HTTP Auth is really working I start up IE just to see if the password prompt really appears. Or I use Firefox plugin to clear cache.
Second, since you are asking about PHP sessions I am assuming you do not know much about them. All that can be said about them in one sentence is if you don't know much about them, don't use them because it is insecure and will take months for you to learn enough to make even a semi-secure application. For example to ensure sufficiently random session identifier to prevent session hijacking, you need low level access to php.ini (which I assume you do not have since you can't even get .htpasswd working) or truly random devices like /dev/random (which again you don't have). That is only one problem of many which exist using sessions especially on shared webhost. Also sessions are for keeping states between pages. So yes they can be used to password protect a directory but it is a poor return on time investment, unless you want to recode entire application to use sessions.
Hope it helps!
Re: Directory password protection broke
Posted: Fri Jun 25, 2010 11:15 am
by rhecker
Thanks for your response.
Yes, the password protection really does disappear. It isn't a browser issue. And someone actually got in and did damage.
Because my shared hosting account allows multiple php.ini files. I do have access to it. I can also put files below the root, of course.
I use sessions to manage language choice on my multi-language websites. Besides sessions and the server password option that isn't really working, I'm not sure what options there are. That's why I'm asking the question.
Re: Directory password protection broke
Posted: Fri Jun 25, 2010 1:12 pm
by kaisellgren
I don't know what that applet is, but can't you protect your administration area with PHP or at least create a .htaccess with BasicAuth?
Re: Directory password protection broke
Posted: Fri Jun 25, 2010 2:36 pm
by rhecker
I didn't realize that I could run htpasswd on my local webserver and upload the resulting file to the shared host. Since the webhost provided an applet to create directory protection, I just always used that. So I'm glad to have control over this myself.
Thanks for resposes.