Protecting certain pages of a website

Posted on 2008-10-19
Last Modified: 2012-05-05
Is using the Host provided password protection for folders secure enough and an overall good solution to protect certain pages of a website?
Question by:shinnmill
  • 5
  • 2
LVL 35

Expert Comment

ID: 22753037
If what you mean by "host provided protection" is htaccess protection, then yes:
this is not only secure enough, this is the best protection available.
LVL 35

Accepted Solution

torimar earned 250 total points
ID: 22753092
You can check whether or not you get .htaccess protection by following these steps:

- protect one of your directories as a test
- FTP to your site
- browse to the protected directory
- check whether there is a file called .htaccess
- if yes, open it for viewing
- check whether it contains a line beginning with "AuthUserFile" and ending on ".htpasswd"

If this is the case, then your files are .htaccess protected.

Author Comment

ID: 22754053
Thanks Torimar.  I did the test and do see the .htaccess file and it has the line

AuthUserFile "/home2/mysite/.htpasswds/public_html/mydirecotry/passwd"

where mysite and mydirectory have been modified for this example.

Does it matter that mine ends with "passwd" as opposed to ".htppasswd" as you said?

Also,  when i test loggin in on IE, it says

"Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection

Does that indeed mean that this method is insecure?  If so, how can i make it secure?

Thanks again for your help.

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

LVL 35

Expert Comment

ID: 22754183
This is ok, it doesn't matter that your AuthUserFile looks a bit different.

As to the "insecure manner": Well, basic authentication is as good a password protection as you can get without using SSL.
If a criminal hacker tries to intercept you or your users when accessing the page by sniffing your network traffic, then he would be able to find out the user password.
The only way to make this completely impossible would be to turn your whole site into a secure SSL site that performs traffic via https, not http pages. But your host must provide SSL as an option.
If your provider has a user support forum, your best bet would be to ask about SSL there. If your host has no such forum, but you receive an answer from their support staff telling you that SSL is supported, you might want to try the following:

Look for the .htaccess file in your site's root directory and add the following lines to it:

RewriteEngine On  
RewriteCond %{SERVER_PORT} 80  
RewriteRule ^(.*)$$1 [R,L]
LVL 35

Expert Comment

ID: 22754188

Of cpourse, you must replace "" in the above snippet by the real name of your domain.

Author Comment

ID: 22788779
Thanks torimar.

You've been a great help on this issue.

Before i close this question and award the points, one last question:

What's the best method to "remember" user's login credentials?  how long of a "remember" period is desirable?

Thanks again
LVL 35

Expert Comment

ID: 22791077
In general, the automatic re-login ("remembering") will depend entirely on your site's security context: if you deal with delicate personal or financial data, there should be no remembering at all; if, on the other hand, you host a hidden forum where users visit and contribute many times a day, then a permanent auto-relogin will be a practical service.

But these considerations don't apply to the present case, as there is no way in basic authentication (none that I'd be aware of) to configure password remembrance on the server side, i.e. as the host. When you browse to a protected page/folder and you can set a check mark to remember your login details, then this is completely client-side, i.e. it's your browser who offers you to do so.
Thus it will be up to your users, not you, to decide whether or not they want their credentials to be remembered; if they decide they want to, then I guess the login information will be stored for as long as it is not deleted out of the browser's password management database.

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit ( and similar technologies have enjoyed wide adoption, making it possib…
Foolproof security solutions has become one of the key necessities of every e-commerce or Internet banking website. If you too own an online shopping site then its vital for you to equip your web portal with customer security features that can allow…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now