Re: avoid visitors viewing inside pages from sgambhir@web.fairfax.com.au on 1999-07-02 (www-html@w3.org from July 1999)

From: <sgambhir@web.fairfax.com.au>
Date: Fri, 02 Jul 1999 10:28:18 +1000
To: Ankit Fadia <ankit@bol.net.in>
CC: Mukul Gandhi <mgandhi@mtcindia.com>, Nicolas Lesbats <nlesbats@etu.utc.fr>, www-html@w3.org
Message-ID: <377C07A2.77D99263@web.fairfax.com.au>
Thanks to Ankit for his sugessions, i had another idea... (as
interpolated from
Ankit's :-)

You can put your
    AuthFaliurePage to point to http://whatever/~whoever/index.html

Then link from Index to other pages like:

    http://username:password@whatever/~whoever/page.html

this way you will bypass the pop up basic auth box as well :-)

Ankit Fadia wrote:

> HiHow about this?
>
  The way to enforce this kind of
  control is to require a password
  for certain parts of your site.          [Image]

  Most HTTP servers support
  something called Basic
  Authentication, a method of
  setting permissions for
  particular directories. You do
  not need network administrator
  privileges for the whole server
  to do this; if you can write to
  the directory, you can password-protect
  it. (If your site runs on
  Microsoft Internet Information
  Server on Windows NT you have a
  number of other password options.
  Check out Microsoft's site for
  more information.)
>
>      Step one:
>      Say you want to create a directory called Secrets and allow
>      in only those people with the username Bond and the password
>      007.
>
>      First, create a file to contain the username and password.
>      Store this file on your server. (For security reasons, you
>      should store it somewhere other than the root directory.)
>      Most HTTP servers, including Apache and Netscape Enterprise
>      Server, let you create this document with the htpasswd
>      command. Type the following line from the Unix prompt:
>
>      htpasswd -c /directory/path/.htpasswd Bond
>
>      To use this code, replace /directory/path/ with the Unix
>      path to the password-protected file's location on your own
>      site. You will be prompted for the password for Bond; enter
>      it twice. You can check that the .htpasswd file has been
>      created at that location; it should contain something like:
>
       Bond:y1ia3tjWkhCK2
       [Image]
>
>      Step two:
>      Next, create a file in the Secrets directory that sets the
>      permissions. Call the file .htaccess and include the
>      following text:
>
       AuthUserFile /directory/path/.htpasswd
       AuthGroupFile /dev/null
       AuthName ByPassword
       AuthType Basic

       require user Bond
       [Image]
>
>      Again, replace the /directory/path/ statement with your
>      site's Unix path to the .htpasswd document. You can change
>      the value for AuthName to whatever you want.
>
>      To make sure your password protection works, try accessing a
>      file in the Secrets directory. You should be prompted for a
>      name and password, and the Bond-007 combination should get
>      you in.
>
>      You can also create multiple usernames and passwords, as
>      well as groups. For more information on how to do this, or
>      to troubleshoot the basic process described above, visit
>      Apache Week or the NCSA site.
>
>      Warning! While Basic Authentication is easy to implement, it
>      is definitely not industrial-strength security. Basic
>      Authentication sends passwords over the Internet as plain
>      text--UUencoded, but not encrypted. Anyone watching the
>      packets on the network wouldn't be able to tell which one
>      contained the password, but if they caught the right one it
>      would be easy to decode. For this reason, we discourage
>      large banks and defense contractors from relying on this
>      security method.
>      ----- Original Message -----
>
>      From:sgambhir@web.fairfax.com.au
>      To: Ankit Fadia
>      Cc: Mukul Gandhi ; Nicolas Lesbats ; www-html@w3.org
>      Sent: Thursday, July 01, 1999 5:56 AM
>      Subject: Re: avoid visitors viewing inside pages
>       The one outlined below limits the user to one-depth
>      access... ie.. you can go to index, then
>      to another page, but when when you go to the third, the
>      referer is no longer index, although you
>      have come 'via' index so to speak! The use of cookies would
>      probably be easiest... a cookie
>      that lasts a 'session' and is set in the index file.. other
>      files can check if the cookie is set,
>      and if not, point them to index!
>
>      :-)
>
>
>
--
Simran Gambhir
NBD, Fairfax
201 Sussex St. Darling Harbour, NSW, 2000.
Tel: +61 2 9282-2777  Fax: +61 2 9282-2256
Received on Thursday, 1 July 1999 20:30:31 UTC