|password script directs correct password|
to unsucure directory, HELP!
| 4:34 am on Oct 5, 2001 (gmt 0)|
I have a pearl password script and we are on a unix server. the script asks for a pass word. Incorrect passwords are directed to the URL that you choose. And same with correct passwords.
# Correct Password
$password = "bingo";
# URL to get if wrong password.
$wrongpass = "http://www.your site.com/page.html";
# URL to get if correct password.
$goodpass = "http://www.your site.com/cgi-bin/dirrectory/hiddenpage.html";
this works fine, The problem is, that it does nor secure the hidden page or any of the pages within the directory. Any one can just type the URL, [your...] site.com/cgi-bin/dirrectory/hiddenpage.html, bypassing, the password script.
If I chmod permissions on the directory, to 666, all pages within the directory are secure. However, the directory is also secure after the correct password is entered. The pass word script is located in the cgi-bin and is routing correct password users UP to /directory/hiddenpage.html
I need to know it there is a way to fix this. Maybe 666permissions are not the ticket. What give or what is another way to do this>
thanks in advace KG2RG
| 4:51 am on Oct 5, 2001 (gmt 0)|
Well I hope you don't take this as my making a flippant remark, the easiest way to fix it is to get a new script. You need a script that uses a method that forces the script to be run when the page you want to protect is loaded, it should then check if an active password is available (usually through cookies) and let the page load, if there is no current active password then it should invoke the "enter password" routine to authenticate the request. Doing it this way avoids constantly asking for a password every time a protected page is requested in the same session by the same user.
The other alternative you have is to use .htaccess and .htpasswd, this method does not require a script (although some are available to make managing ID's and passwords easier). This method automatically maintains state, so that a user who has entered a password won't be asked again unless they close their browser and restart it.
Hope that helps.
| 4:44 am on Oct 6, 2001 (gmt 0)|
WOW, OK, I'm back with more questions. Thanks for pointing me in the right direction AIR. I took that script I had and fed it to the dogs. I'm going big time on this one. I have created a new directory and it is secure through .htpasswd. I set up 2 usernames, each with there own passwords via telnet. It works great.
Now I need some information on setting up multi user password managing scripts.I have been browsing some CGI resource sites, and noticed a lot of free script that say the scripts support multie users with full administrators area. Able to ad and/or delete users. Able to give every user there own user name and pass word. Administrate all through the browser. Does not protect directories, Only manages an already existing .htpasswd system.
This sounds like its what I need, But can some one explain this in more detail. How doe it work, if you need to ad 10 new members and all of them get there own user + passwd, does the script take the new codes and filter them through the existing username & password that I've already created? Or does it add every new user name & password code along with the one that I already created?
One more question, I have one directory with the .htpasswd in it. And there are 2 usernames, each with their own passwords. How many users&passwords can I create via Telnet for that one directory? And how many directories can I .htpasswd on one server?
I hope you were able to follow me through my babbling. My web site does not require this, I just love the challenge and I am amazed that a dummy like my self, can get this stuff to work.
| 3:50 pm on Oct 6, 2001 (gmt 0)|
Glad to hear you got it going.
>But can some one explain this in more detail. How doe it work,
Most of those .htpasswd management scripts pretty much read the .htpasswd file and display what names you already have in it and let you add new ones. If you add more userid's they get added in addition to what is already there. The other function these scripts perform is to encrypt the password, which you would have done through telnet and the standard command line for the two userid's you have already added. Since there is no un-encrypt function, some also keep track of the password in a separate file (outside of .htpasswd) so you can see in what the password was originally. That's pretty much the core of what they do. Some add additional bells and whistles like allowing a user to create their own ID or change their password, build mailing lists, mail out lost passwords, etc.
>How many users&passwords can I create via Telnet for that one directory?
You can create as many userids and passwords as you like.
>And how many directories can I .htpasswd on one server?
You can protect as many directories as you like. Just place the .htaccess file in the directory you want to protect, if you point the .htaccess file to the same .htpasswd file then it will use the same userid&password list for authentication. If you want a different set of users to have access to this directory then just create another .htpasswd file and point .htaccess for this directory to that instead.
The one thing to remember is that .htaccess works for the directory you place it in and all directories below it, so if the directory you place it in has subdirectories, then those will be protected too, if you were to place it in your root then your entire site would be password protected. If the system encounters another .htaccess file in one of the directories then that directory and any subdirectories within it will follow that .htaccess' rules.
>I just love the challenge and I am amazed that a dummy like my self, can get
>this stuff to work.
A dummy? I don't buy that for one minute, besides you now know more about .htaccess than most webmasters :)
| 9:26 am on Oct 7, 2001 (gmt 0)|
By luck I came across this thread, and .ht access may be the answer I was looking for.
I'll be supplying confidential reports for clients on a once-off basis, and can't expect them to download PGP if they don't already have it.
The obvious alternative is have them download the report from a PW protected directory on the website.
Let me say I know nothing on .htaccess....yet.
So a few questions if I may, 1. are there any good tutorials on this subject? 2. is .htaccess generally available as a tool/service on hosting packages?
3.Can SSL be used in conjunction for securing downloads?
| 12:37 pm on Oct 8, 2001 (gmt 0)|
AIR, sorry about the untimely response. I read your response , while I was headed out the door to south NJ for a day of fishing, on a charter boat. My wife and I caught over 50 fish and now I must find a Pearl script capable of executing the cleaning of the fish process.
Thank you , AIR, for the kind words as well as the help on this. I do not have any questions left, your answers have been accurate and explanatory.
I will now look at a few .htaccess management scripts and incorporate one into my existing .htaccess system. There is still one more problem, I do not have any secret content to secure, ha ha ha.
After I get this one done, I think I will want to learn and fool around with COOKIES. They go good with milk.
Hi glengara, I am not qualified to give you any info on this, But, I can say that .htaccess is worth investing your time in. And the return on your investment in priceless. Good luck.
| 11:37 pm on Oct 8, 2001 (gmt 0)|
>So a few questions if I may, 1. are there any good tutorials on this subject?
>2. is .htaccess generally available as a tool/service on hosting packages?
>3.Can SSL be used in conjunction for securing downloads?
1. Do a search at Google for .htaccess tutorial you'll find lot's of them.
2. .htaccess is generally available on all Apache server accounts. Ask your host or prospective host to be sure.
3. SSL can be used as long as no redirection takes place.
| 11:40 pm on Oct 8, 2001 (gmt 0)|
>now I must find a Pearl script capable of executing the cleaning of the fish process
*LOL* good one.
| 6:57 am on Oct 9, 2001 (gmt 0)|
Thanks guys, came across what seems a good tutorial on this here.