Members Area
I'm trying to set up a members page (http://www.painswickyfc.co.uk/client/members.htm) for my website and I would like to limit access to this based upon a username/password combination. From some quick Googling last week it looked as though using .htaccess seemed to be the most suggested method.
I have created a .htaccess file for my website located in the http://www.painswickyfc.co.uk/client directory which contains the
following
information:
AuthName "Painswick YFC Members Area"
AuthType Basic
AuthUserFile /home/painwick/
AuthGroupFile /dev/null
require valid-user
I have also placed a .htpasswd file in the directory above the public_html folder via the ftp server. This contains the information:
user : pass
When I attempt to access the members.htm, a user/pass dialog box appears asking for a username and password, but when I try to enter "user" and "pass", the dialog box reopens again as if the wrong user/pass combination is entered. After three attempts I receive an "Error 401" page. I can only assume that the .htaccess file is unable to find the .htpasswd file, although I cannot work out exactly what is wrong.
I would very much appreciate any information or suggestions anybody may have.
kb posted this at 19:44 — 10th May 2007.
He has: 1,380 posts
Joined: Feb 2002
First of all, I don't know where you got your information that .htaccess is the best method for user-authenticated access... but that's wrong. .htaccess files can easily be read, and the password files can be read as well. A server-side language is the preferred method, like PHP or Perl or ColdFusion, because they are more secure.
That being said, did you encode/hash your passwords? I know they have to be hashed, and I believe it's using md5 encryption. To do this, you can either Google an online application that will do it, or on Linux/Mac (I'm not sure about Windows) you can use the command line/terminal to run the md5 command.
pr0gr4mm3r posted this at 21:49 — 10th May 2007.
He has: 1,502 posts
Joined: Sep 2006
How can you read an .htpassword file when it's not in the web directory. Also, how can .htpassword files be read when Apache denies access to them?
kb posted this at 22:12 — 10th May 2007.
He has: 1,380 posts
Joined: Feb 2002
Well, I know of a few occasions where people have placed their .htpasswd file in a web directory. As for how they are read, I don't know that...I'm not of that status
All I know is that it can be done, and has been.
All of that aside, I was trying to make a point that that method of user-authentication is rarely used any more for that kind of purpose.
pr0gr4mm3r posted this at 22:15 — 10th May 2007.
He has: 1,502 posts
Joined: Sep 2006
I use it without a problem. I know that there was a security issue with .htaccess & .htpasswd files generated by FrontPage, but that's all I know of.
Steevo posted this at 22:32 — 10th May 2007.
They have: 2 posts
Joined: May 2007
Thanks for the suggestions as to whether it's the best method or not. In my opinion, it has to be the best method as it's quick, secure and should be possible without learning any extra PHP, Perl etc.
Does anybody care to hazard a guess as to where the problem may lie?
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.