?
Solved

Protecting certain pages of a website

Posted on 2008-10-19
7
Medium Priority
?
233 Views
Last Modified: 2012-05-05
Is using the Host provided password protection for folders secure enough and an overall good solution to protect certain pages of a website?
0
Comment
Question by:shinnmill
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 35

Expert Comment

by:torimar
ID: 22753037
If what you mean by "host provided protection" is htaccess protection, then yes:
this is not only secure enough, this is the best protection available.
0
 
LVL 35

Accepted Solution

by:
torimar earned 1000 total points
ID: 22753092
You can check whether or not you get .htaccess protection by following these steps:

- protect one of your directories as a test
- FTP to your site
- browse to the protected directory
- check whether there is a file called .htaccess
- if yes, open it for viewing
- check whether it contains a line beginning with "AuthUserFile" and ending on ".htpasswd"

If this is the case, then your files are .htaccess protected.
0
 

Author Comment

by:shinnmill
ID: 22754053
Thanks Torimar.  I did the test and do see the .htaccess file and it has the line

AuthUserFile "/home2/mysite/.htpasswds/public_html/mydirecotry/passwd"

where mysite and mydirectory have been modified for this example.

Does it matter that mine ends with "passwd" as opposed to ".htppasswd" as you said?

Also,  when i test loggin in on IE, it says

"Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection

Does that indeed mean that this method is insecure?  If so, how can i make it secure?

Thanks again for your help.

0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 35

Expert Comment

by:torimar
ID: 22754183
This is ok, it doesn't matter that your AuthUserFile looks a bit different.

As to the "insecure manner": Well, basic authentication is as good a password protection as you can get without using SSL.
If a criminal hacker tries to intercept you or your users when accessing the page by sniffing your network traffic, then he would be able to find out the user password.
The only way to make this completely impossible would be to turn your whole site into a secure SSL site that performs traffic via https, not http pages. But your host must provide SSL as an option.
If your provider has a user support forum, your best bet would be to ask about SSL there. If your host has no such forum, but you receive an answer from their support staff telling you that SSL is supported, you might want to try the following:

Look for the .htaccess file in your site's root directory and add the following lines to it:

RewriteEngine On  
RewriteCond %{SERVER_PORT} 80  
RewriteRule ^(.*)$ https://domain.com/$1 [R,L]
0
 
LVL 35

Expert Comment

by:torimar
ID: 22754188
edit:

Of cpourse, you must replace "domain.com" in the above snippet by the real name of your domain.
0
 

Author Comment

by:shinnmill
ID: 22788779
Thanks torimar.

You've been a great help on this issue.

Before i close this question and award the points, one last question:

What's the best method to "remember" user's login credentials?  how long of a "remember" period is desirable?

Thanks again
0
 
LVL 35

Expert Comment

by:torimar
ID: 22791077
In general, the automatic re-login ("remembering") will depend entirely on your site's security context: if you deal with delicate personal or financial data, there should be no remembering at all; if, on the other hand, you host a hidden forum where users visit and contribute many times a day, then a permanent auto-relogin will be a practical service.

But these considerations don't apply to the present case, as there is no way in basic authentication (none that I'd be aware of) to configure password remembrance on the server side, i.e. as the host. When you browse to a protected page/folder and you can set a check mark to remember your login details, then this is completely client-side, i.e. it's your browser who offers you to do so.
Thus it will be up to your users, not you, to decide whether or not they want their credentials to be remembered; if they decide they want to, then I guess the login information will be stored for as long as it is not deleted out of the browser's password management database.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question