| Apache AuthBasic Letting more than 1 user in
|
Debb
msg:3820027 | 6:09 am on Jan 6, 2009 (gmt 0) |
HI -I just reread [httpd.apache.org...]
apache Authenticaion, Authorization, and Access. When one uses Auth Basic it says -
"The directives above only let one person (specifically someone with a username of rbowen) into the directory. In most cases, you'll want to let more than one person in. This is where the AuthGroupFile comes in." 1. I understand that the directory is protected with a userid of rbowen, and a password, and that if one does not set up a group file then only that userid and password can log in. It does not say if this userid/password can be used at the same time, by multiple people to login to the directory during the same time period? (That is, the directory is protected - and everyone is using the same userid/password & people don't have individual logins.) Is this true? OR, another possibility - if person A is logged in with rbowen, then no-one else can login with rbowen until the Person A logs out? Which one is true? thnx deb
|
bakerboy
msg:3820499 | 8:58 pm on Jan 6, 2009 (gmt 0) |
The credentials are sent with every http request, so there isn't really a "log in" involved. Multiple users can use the same log-in credentials at the same time. bakerboy
|
Debb
msg:3821435 | 10:09 pm on Jan 7, 2009 (gmt 0) |
Reply, thank you for the answer. If I go forward, as stated in the Apache documentaion and set up a group file --- 1. for 300 persons that I want to give the following ability to: click on emailed URLs so that they can view documents residing in the directory that I have protected with my .htaccess file. 2. I would set it up (I have to go back and look at the Apache auth doc) - but I think it would be with a userid / passwd, idividually for all the people, rather then all of them using the rbowen login credential. 3. Can I assume based on how you mentioned 'login credential' that each person becomes 'authorized' via being able to enter their userid and passwd - to view the file, copy it off, print it (whatever). 3. However, since these people never went through an 'authentication' procedure, such as a 'login' to the unix side, they are not 'unique'.
That is, even with a group file containing credentials for 300 persons; there can still be 2 Deb's authorized at the same time to view the file. (Just like there could have been multiple 'rbowen's viewing the file. thanx again. Deb If one set up a group file for let's say 300 potential users - these users don't reside in the unix passwd file - because they don't intereact with the machine in that fashion. I want to
|
Demaestro
msg:3821448 | 10:13 pm on Jan 7, 2009 (gmt 0) |
Is there a reason you don't want to use a cookie based auth system? [edited by: Demaestro at 10:14 pm (utc) on Jan. 7, 2009]
|
Debb
msg:3821480 | 10:45 pm on Jan 7, 2009 (gmt 0) |
From my days as a unix admin, I 'think' ;-) I have some 'clue' about controlling a directory. I don't have as much html programming, web development experience. I currently have no idea how to program a cookie into a web page. I sort of go in the direction I have some inkling about. Is a cookie something I program in - or is it something I ask Apache to implement for a web page? Are cookies used for basic html/css type pages - no sql - no php, etc. ARe you saying something like - Deb tries to view the file - gets auhorized via apache - then I get a cookie - therefore I can become a unique Deb? Did that make sense?
|
Demaestro
msg:3821611 | 3:27 am on Jan 8, 2009 (gmt 0) |
Deb, A cookie based system would require some coding outside of Apache with some server side scripting like PHP or Python. There is nothing wrong with a basic auth system, it is just when you have several users it is easier to manage and track all the activity of a logged in user if you use cookies. Basically it would go like this.... Deb goes to an HTML login page, after a correct login your login method would set a cookie with a unique username. Then Deb requests a file from a private directory only accessible by a PHP/Python method. That method checks for the cookie and verifies the cookie, then fetches the file. So Deb would never get actually get access to that directory, but a method with access to that directory can serve the files.
|
|
|
