Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Protecting certain pages of a website

Is using the Host provided password protection for folders secure enough and an overall good solution to protect certain pages of a website?
0
shinnmill
Asked:
shinnmill
  • 5
  • 2
1 Solution
 
torimarCommented:
If what you mean by "host provided protection" is htaccess protection, then yes:
this is not only secure enough, this is the best protection available.
0
 
torimarCommented:
You can check whether or not you get .htaccess protection by following these steps:

- protect one of your directories as a test
- FTP to your site
- browse to the protected directory
- check whether there is a file called .htaccess
- if yes, open it for viewing
- check whether it contains a line beginning with "AuthUserFile" and ending on ".htpasswd"

If this is the case, then your files are .htaccess protected.
0
 
shinnmillAuthor Commented:
Thanks Torimar.  I did the test and do see the .htaccess file and it has the line

AuthUserFile "/home2/mysite/.htpasswds/public_html/mydirecotry/passwd"

where mysite and mydirectory have been modified for this example.

Does it matter that mine ends with "passwd" as opposed to ".htppasswd" as you said?

Also,  when i test loggin in on IE, it says

"Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection

Does that indeed mean that this method is insecure?  If so, how can i make it secure?

Thanks again for your help.

0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
torimarCommented:
This is ok, it doesn't matter that your AuthUserFile looks a bit different.

As to the "insecure manner": Well, basic authentication is as good a password protection as you can get without using SSL.
If a criminal hacker tries to intercept you or your users when accessing the page by sniffing your network traffic, then he would be able to find out the user password.
The only way to make this completely impossible would be to turn your whole site into a secure SSL site that performs traffic via https, not http pages. But your host must provide SSL as an option.
If your provider has a user support forum, your best bet would be to ask about SSL there. If your host has no such forum, but you receive an answer from their support staff telling you that SSL is supported, you might want to try the following:

Look for the .htaccess file in your site's root directory and add the following lines to it:

RewriteEngine On  
RewriteCond %{SERVER_PORT} 80  
RewriteRule ^(.*)$ https://domain.com/$1 [R,L]
0
 
torimarCommented:
edit:

Of cpourse, you must replace "domain.com" in the above snippet by the real name of your domain.
0
 
shinnmillAuthor Commented:
Thanks torimar.

You've been a great help on this issue.

Before i close this question and award the points, one last question:

What's the best method to "remember" user's login credentials?  how long of a "remember" period is desirable?

Thanks again
0
 
torimarCommented:
In general, the automatic re-login ("remembering") will depend entirely on your site's security context: if you deal with delicate personal or financial data, there should be no remembering at all; if, on the other hand, you host a hidden forum where users visit and contribute many times a day, then a permanent auto-relogin will be a practical service.

But these considerations don't apply to the present case, as there is no way in basic authentication (none that I'd be aware of) to configure password remembrance on the server side, i.e. as the host. When you browse to a protected page/folder and you can set a check mark to remember your login details, then this is completely client-side, i.e. it's your browser who offers you to do so.
Thus it will be up to your users, not you, to decide whether or not they want their credentials to be remembered; if they decide they want to, then I guess the login information will be stored for as long as it is not deleted out of the browser's password management database.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now