Welcome to WebmasterWorld Guest from 23.22.140.143

Forum Moderators: brotherhood of lan & mack

Message Too Old, No Replies

Apache AuthBasic Letting more than 1 user in

     
6:09 am on Jan 6, 2009 (gmt 0)

New User

10+ Year Member

joined:Feb 20, 2004
posts: 26
votes: 0


HI -I just reread [httpd.apache.org...]
apache Authenticaion, Authorization, and Access.

When one uses Auth Basic it says -
"The directives above only let one person (specifically someone with a username of rbowen) into the directory. In most cases, you'll want to let more than one person in. This is where the AuthGroupFile comes in."

1. I understand that the directory is protected with a userid of rbowen, and a password, and that if one does not set up a group file then only that userid and password can log in.

It does not say if this userid/password can be used at the same time, by multiple people to login to the directory during the same time period? (That is, the directory is protected - and everyone is using the same userid/password & people don't have individual logins.) Is this true?

OR, another possibility - if person A is logged in with rbowen, then no-one else can login with rbowen until the Person A logs out?

Which one is true?

thnx

deb

8:58 pm on Jan 6, 2009 (gmt 0)

New User

5+ Year Member

joined:Aug 11, 2008
posts:5
votes: 0


The credentials are sent with every http request, so there isn't really a "log in" involved. Multiple users can use the same log-in credentials at the same time.

bakerboy

10:09 pm on Jan 7, 2009 (gmt 0)

New User

10+ Year Member

joined:Feb 20, 2004
posts: 26
votes: 0


Reply, thank you for the answer.

If I go forward, as stated in the Apache documentaion and set up a group file ---

1. for 300 persons that I want to give the following ability to: click on emailed URLs so that they can view documents residing in the directory that I have protected with my .htaccess file.

2. I would set it up (I have to go back and look at the Apache auth doc) - but I think it would be with a userid / passwd, idividually for all the people, rather then all of them using the rbowen login credential.

3. Can I assume based on how you mentioned 'login credential' that each person becomes 'authorized' via being able to enter their userid and passwd - to view the file, copy it off, print it (whatever).

3. However, since these people never went through an 'authentication' procedure, such as a 'login' to the unix side, they are not 'unique'.
That is, even with a group file containing credentials for 300 persons; there can still be 2 Deb's authorized at the same time to view the file. (Just like there could have been multiple 'rbowen's viewing the file.

thanx again.

Deb

If one set up a group file for let's say 300 potential users - these users don't reside in the unix passwd file - because they don't intereact with the machine in that fashion. I want to

10:13 pm on Jan 7, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2606
votes: 0


Is there a reason you don't want to use a cookie based auth system?

[edited by: Demaestro at 10:14 pm (utc) on Jan. 7, 2009]

10:45 pm on Jan 7, 2009 (gmt 0)

New User

10+ Year Member

joined:Feb 20, 2004
posts: 26
votes: 0


From my days as a unix admin, I 'think' ;-) I have some 'clue' about controlling a directory. I don't have as much html programming, web development experience. I currently have no idea how to program a cookie into a web page. I sort of go in the direction I have some inkling about. Is a cookie something I program in - or is it something I ask Apache to implement for a web page? Are cookies used for basic html/css type pages - no sql - no php, etc.

ARe you saying something like - Deb tries to view the file - gets auhorized via apache - then I get a cookie - therefore I can become a unique Deb?

Did that make sense?

3:27 am on Jan 8, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2606
votes: 0


Deb,

A cookie based system would require some coding outside of Apache with some server side scripting like PHP or Python.

There is nothing wrong with a basic auth system, it is just when you have several users it is easier to manage and track all the activity of a logged in user if you use cookies.

Basically it would go like this....

Deb goes to an HTML login page, after a correct login your login method would set a cookie with a unique username. Then Deb requests a file from a private directory only accessible by a PHP/Python method. That method checks for the cookie and verifies the cookie, then fetches the file. So Deb would never get actually get access to that directory, but a method with access to that directory can serve the files.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members