Protecting certain pages of a website

Posted on 2008-10-19
Last Modified: 2012-05-05
Is using the Host provided password protection for folders secure enough and an overall good solution to protect certain pages of a website?
Question by:shinnmill
  • 5
  • 2
LVL 35

Expert Comment

ID: 22753037
If what you mean by "host provided protection" is htaccess protection, then yes:
this is not only secure enough, this is the best protection available.
LVL 35

Accepted Solution

torimar earned 250 total points
ID: 22753092
You can check whether or not you get .htaccess protection by following these steps:

- protect one of your directories as a test
- FTP to your site
- browse to the protected directory
- check whether there is a file called .htaccess
- if yes, open it for viewing
- check whether it contains a line beginning with "AuthUserFile" and ending on ".htpasswd"

If this is the case, then your files are .htaccess protected.

Author Comment

ID: 22754053
Thanks Torimar.  I did the test and do see the .htaccess file and it has the line

AuthUserFile "/home2/mysite/.htpasswds/public_html/mydirecotry/passwd"

where mysite and mydirectory have been modified for this example.

Does it matter that mine ends with "passwd" as opposed to ".htppasswd" as you said?

Also,  when i test loggin in on IE, it says

"Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection

Does that indeed mean that this method is insecure?  If so, how can i make it secure?

Thanks again for your help.

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

LVL 35

Expert Comment

ID: 22754183
This is ok, it doesn't matter that your AuthUserFile looks a bit different.

As to the "insecure manner": Well, basic authentication is as good a password protection as you can get without using SSL.
If a criminal hacker tries to intercept you or your users when accessing the page by sniffing your network traffic, then he would be able to find out the user password.
The only way to make this completely impossible would be to turn your whole site into a secure SSL site that performs traffic via https, not http pages. But your host must provide SSL as an option.
If your provider has a user support forum, your best bet would be to ask about SSL there. If your host has no such forum, but you receive an answer from their support staff telling you that SSL is supported, you might want to try the following:

Look for the .htaccess file in your site's root directory and add the following lines to it:

RewriteEngine On  
RewriteCond %{SERVER_PORT} 80  
RewriteRule ^(.*)$$1 [R,L]
LVL 35

Expert Comment

ID: 22754188

Of cpourse, you must replace "" in the above snippet by the real name of your domain.

Author Comment

ID: 22788779
Thanks torimar.

You've been a great help on this issue.

Before i close this question and award the points, one last question:

What's the best method to "remember" user's login credentials?  how long of a "remember" period is desirable?

Thanks again
LVL 35

Expert Comment

ID: 22791077
In general, the automatic re-login ("remembering") will depend entirely on your site's security context: if you deal with delicate personal or financial data, there should be no remembering at all; if, on the other hand, you host a hidden forum where users visit and contribute many times a day, then a permanent auto-relogin will be a practical service.

But these considerations don't apply to the present case, as there is no way in basic authentication (none that I'd be aware of) to configure password remembrance on the server side, i.e. as the host. When you browse to a protected page/folder and you can set a check mark to remember your login details, then this is completely client-side, i.e. it's your browser who offers you to do so.
Thus it will be up to your users, not you, to decide whether or not they want their credentials to be remembered; if they decide they want to, then I guess the login information will be stored for as long as it is not deleted out of the browser's password management database.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ… provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question