Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: incrediBILL
# Correct Password
$password = "bingo";
# URL to get if wrong password.
$wrongpass = "http://www.your site.com/page.html";
# URL to get if correct password.
$goodpass = "http://www.your site.com/cgi-bin/dirrectory/hiddenpage.html";
this works fine, The problem is, that it does nor secure the hidden page or any of the pages within the directory. Any one can just type the URL, [your...] site.com/cgi-bin/dirrectory/hiddenpage.html, bypassing, the password script.
If I chmod permissions on the directory, to 666, all pages within the directory are secure. However, the directory is also secure after the correct password is entered. The pass word script is located in the cgi-bin and is routing correct password users UP to /directory/hiddenpage.html
I need to know it there is a way to fix this. Maybe 666permissions are not the ticket. What give or what is another way to do this>
thanks in advace KG2RG
The other alternative you have is to use .htaccess and .htpasswd, this method does not require a script (although some are available to make managing ID's and passwords easier). This method automatically maintains state, so that a user who has entered a password won't be asked again unless they close their browser and restart it.
Hope that helps.
Now I need some information on setting up multi user password managing scripts.I have been browsing some CGI resource sites, and noticed a lot of free script that say the scripts support multie users with full administrators area. Able to ad and/or delete users. Able to give every user there own user name and pass word. Administrate all through the browser. Does not protect directories, Only manages an already existing .htpasswd system.
This sounds like its what I need, But can some one explain this in more detail. How doe it work, if you need to ad 10 new members and all of them get there own user + passwd, does the script take the new codes and filter them through the existing username & password that I've already created? Or does it add every new user name & password code along with the one that I already created?
One more question, I have one directory with the .htpasswd in it. And there are 2 usernames, each with their own passwords. How many users&passwords can I create via Telnet for that one directory? And how many directories can I .htpasswd on one server?
I hope you were able to follow me through my babbling. My web site does not require this, I just love the challenge and I am amazed that a dummy like my self, can get this stuff to work.
>But can some one explain this in more detail. How doe it work,
Most of those .htpasswd management scripts pretty much read the .htpasswd file and display what names you already have in it and let you add new ones. If you add more userid's they get added in addition to what is already there. The other function these scripts perform is to encrypt the password, which you would have done through telnet and the standard command line for the two userid's you have already added. Since there is no un-encrypt function, some also keep track of the password in a separate file (outside of .htpasswd) so you can see in what the password was originally. That's pretty much the core of what they do. Some add additional bells and whistles like allowing a user to create their own ID or change their password, build mailing lists, mail out lost passwords, etc.
>How many users&passwords can I create via Telnet for that one directory?
You can create as many userids and passwords as you like.
>And how many directories can I .htpasswd on one server?
You can protect as many directories as you like. Just place the .htaccess file in the directory you want to protect, if you point the .htaccess file to the same .htpasswd file then it will use the same userid&password list for authentication. If you want a different set of users to have access to this directory then just create another .htpasswd file and point .htaccess for this directory to that instead.
The one thing to remember is that .htaccess works for the directory you place it in and all directories below it, so if the directory you place it in has subdirectories, then those will be protected too, if you were to place it in your root then your entire site would be password protected. If the system encounters another .htaccess file in one of the directories then that directory and any subdirectories within it will follow that .htaccess' rules.
>I just love the challenge and I am amazed that a dummy like my self, can get
>this stuff to work.
A dummy? I don't buy that for one minute, besides you now know more about .htaccess than most webmasters :)
I'll be supplying confidential reports for clients on a once-off basis, and can't expect them to download PGP if they don't already have it.
The obvious alternative is have them download the report from a PW protected directory on the website.
Let me say I know nothing on .htaccess....yet.
So a few questions if I may, 1. are there any good tutorials on this subject? 2. is .htaccess generally available as a tool/service on hosting packages?
3.Can SSL be used in conjunction for securing downloads?
Thank you , AIR, for the kind words as well as the help on this. I do not have any questions left, your answers have been accurate and explanatory.
I will now look at a few .htaccess management scripts and incorporate one into my existing .htaccess system. There is still one more problem, I do not have any secret content to secure, ha ha ha.
After I get this one done, I think I will want to learn and fool around with COOKIES. They go good with milk.
Hi glengara, I am not qualified to give you any info on this, But, I can say that .htaccess is worth investing your time in. And the return on your investment in priceless. Good luck.
>So a few questions if I may, 1. are there any good tutorials on this subject?
>2. is .htaccess generally available as a tool/service on hosting packages?
>3.Can SSL be used in conjunction for securing downloads?
1. Do a search at Google for .htaccess tutorial you'll find lot's of them.
2. .htaccess is generally available on all Apache server accounts. Ask your host or prospective host to be sure.
3. SSL can be used as long as no redirection takes place.