Database Journal: The Knowledge Center for Database Professionals

find a web host with:
CGI Access DB Support NT Servers UNIX Servers Telnet Access advanced search

internet.com Internet News Internet Investing Internet Technology Windows Internet Tech. Linux/Open Source Web Developer ECommerce/Marketing ISP Resources ASP Resources Wireless Internet Downloads Internet Resources Internet Lists International EarthWeb Career Resources Search internet.com Advertise Corporate Info Newsletters E-mail Offers

internet.commerce Be a Commerce Partner

Protecting Your Pages

In this age protecting your pages from those who are considered a threat to your content or company is simplistic in theory. The problem is, it requires some knowledge of the Apache Web server or if you're merely a client on a server, knowledge of your shell account. There are two ways of utilizing user authentication via the web, one being safe from everyday users, the other being safe from anyone--if used correctly.

This toolkit offers an extensive look at .htpasswd and using .htaccess to your complete advantage. The steps shown here are of course safe, and will work on any Apache system.

Note You will be editing a vital file which requires the exact correct syntax, failure to copy the code correctly will result in a 500 Internal Server Error denying your Web site's visitors access to your content.

Methods Of Implementation

As mentioned, there are two ways of password protecting your pages--the first is by using Allow/Deny. This method allows you to choose who has permission to access your page by reading their REMOTE ADDRESS (such as .user.com) and who doesn't have permission by using the deny attribute. This method is especially useful if you run an ISP and offer a service for your current customers only. You can allow everyone from your_isp.com and nobody else will be able to use the service you provide.

The problem with the Allow/Deny method is that it's completely useless if you're protecting pages that are for...

• paying members
• staff only
• or contain valuble information

If a user has root (owns the server) in which he/she is running on, they can run a program called spoof which will change their REMOTE ADDRESS to read anything they like. This is an obvious security flaw.

htpasswd

htpasswd is a great tool and seems to be as flawless as they come. htpasswd prompts your HTTP client to prompt the user with a dialog box asking for a username and a password to confirm that they do have access. Given the correct information and the page will load as it should, if not the user sees an Authentication Failed message.

Setting up Allow/Deny

You'll want to start by changing the directory to the path you want to protect. For example - /home/servername/html/members/. Next, you'll want to type vi .htaccess--this will open a clear screen with a flashing prompt, to start typing hit "INSERT" (or if you're on Windows 9x hit your "I" key). Next, type the following exactly how it is shown below. Any error in typing this will result in a server error.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AllowLocalAccess
AuthType Basic

order deny,allow
deny from all
allow from .host.com

After the above is typed, hit your ESC key and type :x. Now you have officially restricted access. Simple as that.

Note In the example, .host.com should be replaced with the host you want to allow.

[ Site Map ] ActiveX / VBscript Animated GIF Archive Browsers CGI / Perl Database Connectivity Design / Graphics E-Commerce HTML-Advanced: DHTML, CSS HTML / Site Authoring Tools Intranet/Groupware Java JavaScript Multimedia: Audio / Video / Streaming Technologies Opinions Refresh Daily: Editorial Column Security Servers & Server Tools Site Design / Graphics Site Management / Marketing / Log File Analysis Tutorials VRML / 3D XML