www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: .htaccess question

  1. #1
    Join Date
    Sep 2004
    Posts
    279

    .htaccess question

    Hi,

    I protected a directory using .htaccess. It works great but once the password is given it will allow access again and again without asking for a password again. It will do this until the browser is closed. Is there anyway to have it ask for the password each time the directory is accessed?

    Thanks...Mike

  2. #2
    Join Date
    Feb 2003
    Location
    Aberdeen, Washington, USA
    Posts
    1,859
    I think this would be better for the "Other" programming forum.

  3. #3
    Join Date
    Jul 2004
    Location
    Rhode Island
    Posts
    190
    With Apache's current perspective on HTTP Authentication, that's not possible through .htaccess (at least to my knowledge). Sorry.
    Matt Pat
    The World's Best Web Browser (Windows, Linux, and Mac): Get Firefox!
    My website: http://www.mattpat.net
    Control iTunes Remotely: TuneConnect

    "What's accepted is not always what's right."
    Look it up: What's the longest word in the English language?

  4. #4
    Join Date
    Sep 2004
    Posts
    279
    patenaudemat,

    Darn! Well...what I was hoping was that if I had to, I could view my files on a public computer and be assured that no one could view them after I left. Guess I won't be able to do that.

    Thanks for the reply, I really appreciated it.

    Mike

  5. #5
    Join Date
    Nov 2003
    Location
    Worthington, OH, USA
    Posts
    3,634
    Actually after you terminate the browser session, you should be required to log back in.

  6. #6
    Join Date
    Jul 2004
    Location
    Rhode Island
    Posts
    190
    Something like this might be possible, in retrospect, through PHP's HTTP_AUTH functions... I haven't looked into it much, but I believe there's a way to remove any authentication settings in the browser. If you called a function that did this on the load of each page, it would require the user to enter the password again. Of course, if you were just talking about any type of file, something like this wouldn't be useful for you.
    Matt Pat
    The World's Best Web Browser (Windows, Linux, and Mac): Get Firefox!
    My website: http://www.mattpat.net
    Control iTunes Remotely: TuneConnect

    "What's accepted is not always what's right."
    Look it up: What's the longest word in the English language?

  7. #7
    Join Date
    Sep 2004
    Posts
    279
    patenaudemat,

    What I mainly wanted to use it on was a "work page" that I made. On my web site I am selling products and this page allow me to access different shipping services and so forth. So I really don't want anyone to have access to it.

    What I need is a login and logout type of thing. I was hoping .htaccess would do the trick.

    Thanks,

    Mike

  8. #8
    Join Date
    Jul 2004
    Location
    Rhode Island
    Posts
    190
    As far as logout, .htaccess won't help you much... generally, the only way to log out is to close the browser window (unless there is an obscure PHP function that will clear the HTTP Auth information, which is stored in the browser, not the server as I incorrectly stated before)... maybe a header() function.

    For security, .htaccess will adequately protect a page as long as no one's "listening" to your Internet connection, since the username and password are transmitted in plaintext. Personally, I use cookie authentication with a MySQL database (which doesn't improve the security... the only real way to increase security is to connect using an SSL connection). With cookie authentication, you can log out by deleting cookies, and you can make it easier for yourself by not having to type the information every time you want to access this page from your own computer (if you so choose; PHP has functions for either session cookies or time-expiration).

    For added security, I use the md5() function to hash the password before it's transmitted, and then compare it to the hash of the password returned from the database for that username. I also use a "secret phrase" (hashed along with the password) to prevent guessing. Of course, every person has their own style of authentication, but this is more likely what you want since it ensures that (as long as the cookie is deleted) no one will "accidentally" log on after you.

    Hope it helps!
    Last edited by patenaudemat; 02-28-2005 at 02:24 PM.
    Matt Pat
    The World's Best Web Browser (Windows, Linux, and Mac): Get Firefox!
    My website: http://www.mattpat.net
    Control iTunes Remotely: TuneConnect

    "What's accepted is not always what's right."
    Look it up: What's the longest word in the English language?

  9. #9
    Join Date
    Sep 2004
    Posts
    279
    patenaudemat,

    Thanks,

    Iím kind of new to all this so please bear with me. Iím not that familiar with php but will learn it if I have to. I am familiar with perl and would prefer to go that way.

    SoÖ
    I will access the work page using SSL; then have a login that asks for a password. I will write a cookie which allows access and when I logout I will delete the cookie. If I donít logout, the cookie will remain and allow access without asking for a password.

    Will this work or will it be too ďinsecureĒ?

    Mike

  10. #10
    Join Date
    Jul 2004
    Location
    Rhode Island
    Posts
    190
    That doesn't sound insecure to me... in fact, there's probably a way you can accomplish the same thing with Perl.

    Logging out is an extra security that comes with the cookies since the cookies can be deleted. However, as long as you set them as session cookies (usually just by not specifying an expiration date) it should be deleted when the browser is closed anyway (99.9% of the time).

    By the way, with everything I was talking about with the MD5 hashing, that's only necessary if you don't have an SSL connection. My website doesn't have a certificate, so I encrypt things myself, but as long as you're connected via SSL everything's automatically encrypted.
    Matt Pat
    The World's Best Web Browser (Windows, Linux, and Mac): Get Firefox!
    My website: http://www.mattpat.net
    Control iTunes Remotely: TuneConnect

    "What's accepted is not always what's right."
    Look it up: What's the longest word in the English language?

  11. #11
    Join Date
    Sep 2004
    Posts
    279
    patenaudemat,

    Thanks for the help!!

    Writing what I suggested in perl is a piece of cake. Just one thought here: Since I save the password in a cookie, is there any way I can encript it? The reason being is that if a cookie is left on a machine someone can read that cookie and the information left therein.

    Mike

  12. #12
    Join Date
    Jul 2004
    Location
    Rhode Island
    Posts
    190
    MD5 is usually a good algorithm to use for encryption... it's irreversible, so to check validity, just compare the hash of the password on file and to the hash in the cookie. This is easier to understand in pseudo-code:
    Code:
    IF cookie_value == md5(password) THEN is_cookie_valid = TRUE
    You can use MD5 in Perl with the Digest::MD5 module (http://search.cpan.org/~gaas/Digest-MD5-2.33/MD5.pm). I recommend using the hexadecimal function (md5_hex) for a little added security over decimal. (In case you don't have root access, Digest::MD5 is installed on most servers by default). Have fun!
    Last edited by patenaudemat; 03-01-2005 at 01:36 PM.
    Matt Pat
    The World's Best Web Browser (Windows, Linux, and Mac): Get Firefox!
    My website: http://www.mattpat.net
    Control iTunes Remotely: TuneConnect

    "What's accepted is not always what's right."
    Look it up: What's the longest word in the English language?

  13. #13
    Join Date
    Sep 2004
    Posts
    279
    patenaudemat,

    Okay, I'll give it a try. Thanks for all of your help!!

    - Mike

  14. #14
    Join Date
    Dec 2002
    Location
    Pleasanton, CA
    Posts
    2,132
    Originally posted by Mike Burdick
    Writing what I suggested in perl is a piece of cake. Just one thought here: Since I save the password in a cookie, is there any way I can encript it?
    If you plan to use Perl and MySQL, then don't save the password, encrypted or otherwise, in a cookie. Instead create a random alpha-numeric string, a sessionID at each login.

    Save that in the cookie and in the database for this user. You can now validate the user with the sessionID. When you logout, clear the cookie AND the sessionID in the database. Now even if someone knows the cookie value, once you logout, the cookie value will be useless.

  15. #15
    Join Date
    Sep 2004
    Posts
    279
    Nedals,

    Gee whizz - that's simple!

    Thanks!

    - Mike

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles