Protecting certain pages of a website

Posted on 2008-10-19
Last Modified: 2012-05-05
Is using the Host provided password protection for folders secure enough and an overall good solution to protect certain pages of a website?
Question by:shinnmill
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 35

Expert Comment

ID: 22753037
If what you mean by "host provided protection" is htaccess protection, then yes:
this is not only secure enough, this is the best protection available.
LVL 35

Accepted Solution

torimar earned 250 total points
ID: 22753092
You can check whether or not you get .htaccess protection by following these steps:

- protect one of your directories as a test
- FTP to your site
- browse to the protected directory
- check whether there is a file called .htaccess
- if yes, open it for viewing
- check whether it contains a line beginning with "AuthUserFile" and ending on ".htpasswd"

If this is the case, then your files are .htaccess protected.

Author Comment

ID: 22754053
Thanks Torimar.  I did the test and do see the .htaccess file and it has the line

AuthUserFile "/home2/mysite/.htpasswds/public_html/mydirecotry/passwd"

where mysite and mydirectory have been modified for this example.

Does it matter that mine ends with "passwd" as opposed to ".htppasswd" as you said?

Also,  when i test loggin in on IE, it says

"Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection

Does that indeed mean that this method is insecure?  If so, how can i make it secure?

Thanks again for your help.

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

LVL 35

Expert Comment

ID: 22754183
This is ok, it doesn't matter that your AuthUserFile looks a bit different.

As to the "insecure manner": Well, basic authentication is as good a password protection as you can get without using SSL.
If a criminal hacker tries to intercept you or your users when accessing the page by sniffing your network traffic, then he would be able to find out the user password.
The only way to make this completely impossible would be to turn your whole site into a secure SSL site that performs traffic via https, not http pages. But your host must provide SSL as an option.
If your provider has a user support forum, your best bet would be to ask about SSL there. If your host has no such forum, but you receive an answer from their support staff telling you that SSL is supported, you might want to try the following:

Look for the .htaccess file in your site's root directory and add the following lines to it:

RewriteEngine On  
RewriteCond %{SERVER_PORT} 80  
RewriteRule ^(.*)$$1 [R,L]
LVL 35

Expert Comment

ID: 22754188

Of cpourse, you must replace "" in the above snippet by the real name of your domain.

Author Comment

ID: 22788779
Thanks torimar.

You've been a great help on this issue.

Before i close this question and award the points, one last question:

What's the best method to "remember" user's login credentials?  how long of a "remember" period is desirable?

Thanks again
LVL 35

Expert Comment

ID: 22791077
In general, the automatic re-login ("remembering") will depend entirely on your site's security context: if you deal with delicate personal or financial data, there should be no remembering at all; if, on the other hand, you host a hidden forum where users visit and contribute many times a day, then a permanent auto-relogin will be a practical service.

But these considerations don't apply to the present case, as there is no way in basic authentication (none that I'd be aware of) to configure password remembrance on the server side, i.e. as the host. When you browse to a protected page/folder and you can set a check mark to remember your login details, then this is completely client-side, i.e. it's your browser who offers you to do so.
Thus it will be up to your users, not you, to decide whether or not they want their credentials to be remembered; if they decide they want to, then I guess the login information will be stored for as long as it is not deleted out of the browser's password management database.

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (May 2015) This web page has appeared at Google.  It's definitely worth considering! How to Know You are Making a Difference at EE In August, 2013, one …
If I have to fix slow responding website my first thoughts are server side optimizations: the database may not be optimized or caching is not enabled, or things like that. We often overlook another major part of our web application: the client. We o…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question