W3C home > Mailing lists > Public > www-html@w3.org > July 1999

Re: avoid visitors viewing inside pages

From: Ankit Fadia <ankit@bol.net.in>
Date: Thu, 1 Jul 1999 13:46:01 +0530
Message-ID: <000101bec39f$ee5ad860$a2f15ecb@ankit>
To: <sgambhir@web.fairfax.com.au>
Cc: "Mukul Gandhi" <mgandhi@mtcindia.com>, "Nicolas Lesbats" <nlesbats@etu.utc.fr>, <www-html@w3.org>
How about this?
      The way to enforce this kind of control is to require a password for certain parts of your site. 
      Most HTTP servers support something called Basic Authentication, a method of setting permissions for particular directories. You do not need network administrator privileges for the whole server to do this; if you can write to the directory, you can password-protect it. (If your site runs on Microsoft Internet Information Server on Windows NT you have a number of other password options. Check out Microsoft's site for more information.) 

  Step one:
  Say you want to create a directory called Secrets and allow in only those people with the username Bond and the password 007. 

  First, create a file to contain the username and password. Store this file on your server. (For security reasons, you should store it somewhere other than the root directory.) Most HTTP servers, including Apache and Netscape Enterprise Server, let you create this document with the htpasswd command. Type the following line from the Unix prompt: 

  htpasswd -c /directory/path/.htpasswd Bond 

  To use this code, replace /directory/path/ with the Unix path to the password-protected file's location on your own site. You will be prompted for the password for Bond; enter it twice. You can check that the .htpasswd file has been created at that location; it should contain something like: 


  Step two:
  Next, create a file in the Secrets directory that sets the permissions. Call the file .htaccess and include the following text: 

        AuthUserFile /directory/path/.htpasswd
        AuthGroupFile /dev/null
        AuthName ByPassword
        AuthType Basic

        require user Bond 

  Again, replace the /directory/path/ statement with your site's Unix path to the .htpasswd document. You can change the value for AuthName to whatever you want. 

  To make sure your password protection works, try accessing a file in the Secrets directory. You should be prompted for a name and password, and the Bond-007 combination should get you in. 

  You can also create multiple usernames and passwords, as well as groups. For more information on how to do this, or to troubleshoot the basic process described above, visit Apache Week or the NCSA site. 

  Warning! While Basic Authentication is easy to implement, it is definitely not industrial-strength security. Basic Authentication sends passwords over the Internet as plain text--UUencoded, but not encrypted. Anyone watching the packets on the network wouldn't be able to tell which one contained the password, but if they caught the right one it would be easy to decode. For this reason, we discourage large banks and defense contractors from relying on this security method. 

  ----- Original Message ----- 
  From: sgambhir@web.fairfax.com.au 
  To: Ankit Fadia 
  Cc: Mukul Gandhi ; Nicolas Lesbats ; www-html@w3.org 
  Sent: Thursday, July 01, 1999 5:56 AM
  Subject: Re: avoid visitors viewing inside pages

  The one outlined below limits the user to one-depth access... ie.. you can go to index, then 
  to another page, but when when you go to the third, the referer is no longer index, although you 
  have come 'via' index so to speak! The use of cookies would probably be easiest... a cookie 
  that lasts a 'session' and is set in the index file.. other files can check if the cookie is set, 
  and if not, point them to index! 

(image/gif attachment: bump.gif)

(image/gif attachment: ul.gif)

Received on Thursday, 1 July 1999 04:50:44 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:05:50 UTC