WebDeveloper.com �: Where Web Developers and Designers Learn How to Build Web Sites, Program in Java and JavaScript, and More!   
Web Developer Resource Directory WebDev Jobs
Animated GIFs
CSS
CSS Properties
Database
Design
Flash
HTML
HTML 4.01 Tags
JavaScript
.NET
PHP
Reference
Security
Site Management
Video
XML/RSS
WD Forums
 Client-Side
  Development

    HTML
    XML
    CSS
    Graphics
    JavaScript
    ASP
    Multimedia
    Web Video
    Accessibility
    Dreamweaver
    General
    Accessibility
    Dreamweaver
    Expression Web

    General

 Server-Side
  Development

    PHP
    Perl
    .NET
    Forum, Blog, Wiki & CMS
    SQL
    Java
    Others

 Site Management
    Domain Names
    Search Engines
    Website Reviews

 Web Development
  Business Issues

    Business Matters

 Etc.
    The Coffee Lounge
    Computer Issues
    Feedback




Protecting Your Pages

by Nathan Poole

In this age protecting your pages from those who are considered a threat to your content or company is simplistic in theory. The problem is, it requires some knowledge of the Apache Web server or if you're merely a client on a server, knowledge of your shell account. There are two ways of utilizing user authentication via the web, one being safe from everyday users, the other being safe from anyone--if used correctly.

This toolkit offers an extensive look at .htpasswd and using .htaccess to your complete advantage. The steps shown here are of course safe, and will work on any Apache system.

Note You will be editing a vital file which requires the exact correct syntax, failure to copy the code correctly will result in a 500 Internal Server Error denying your Web site's visitors access to your content.

Methods Of Implementation

Allow/Deny

As mentioned, there are two ways of password protecting your pages--the first is by using Allow/Deny. This method allows you to choose who has permission to access your page by reading their REMOTE ADDRESS (such as .user.com) and who doesn't have permission by using the deny attribute. This method is especially useful if you run an ISP and offer a service for your current customers only. You can allow everyone from your_isp.com and nobody else will be able to use the service you provide.

The problem with the Allow/Deny method is that it's completely useless if you're protecting pages that are for...

  • paying members
  • staff only
  • or contain valuble information

If a user has root (owns the server) in which he/she is running on, they can run a program called spoof which will change their REMOTE ADDRESS to read anything they like. This is an obvious security flaw.

htpasswd

htpasswd is a great tool and seems to be as flawless as they come. htpasswd prompts your HTTP client to prompt the user with a dialog box asking for a username and a password to confirm that they do have access. Given the correct information and the page will load as it should, if not the user sees an Authentication Failed message.

Setting up Allow/Deny

First of all, you'll want to start a Telnet session to your server. If you don't have a shell (the server will kick you out if you try to access it) you can use FTP to send the file. First, we'll use the shell method.

You'll want to start by changing the directory to the path you want to protect. For example - /home/servername/html/members/. Next, you'll want to type vi .htaccess--this will open a clear screen with a flashing prompt, to start typing hit "INSERT" (or if you're on Windows 9x hit your "I" key). Next, type the following exactly how it is shown below. Any error in typing this will result in a server error.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AllowLocalAccess
AuthType Basic

order deny,allow
deny from all
allow from .host.com

After the above is typed, hit your ESC key and type :x. Now you have officially restricted access. Simple as that.

Note In the example, .host.com should be replaced with the host you want to allow.



HTML5 Development Center


Recent Articles