W3C home > Mailing lists > Public > www-html@w3.org > July 1999

Re: avoid visitors viewing inside pages

From: Ankit Fadia <ankit@bol.net.in>
Date: Fri, 2 Jul 1999 20:25:41 +0530
Message-ID: <009f01bec49d$70d269e0$0100007f@ankit>
To: <sgambhir@web.fairfax.com.au>
Cc: "Mukul Gandhi" <mgandhi@mtcindia.com>, "Nicolas Lesbats" <nlesbats@etu.utc.fr>, <www-html@w3.org>
Okay Simran You win.Yours is the best method of doing what we aimed to do.
By the way who was the person who really wanted this solution.Is he satisfied.Who was he?
BYe
Ankit Fadia
  ----- Original Message ----- 
  From: sgambhir@web.fairfax.com.au 
  To: Ankit Fadia 
  Cc: Mukul Gandhi ; Nicolas Lesbats ; www-html@w3.org 
  Sent: Friday, July 02, 1999 5:58 AM
  Subject: Re: avoid visitors viewing inside pages


  Thanks to Ankit for his sugessions, i had another idea... (as interpolated from 
  Ankit's :-) 
  You can put your 
      AuthFaliurePage to point to http://whatever/~whoever/index.html 

  Then link from Index to other pages like: 

      http://username:password@whatever/~whoever/page.html 

  this way you will bypass the pop up basic auth box as well :-) 

  Ankit Fadia wrote: 

    HiHow about this?  
       The way to enforce this kind of control is to require a password for certain parts of your site.  
          Most HTTP servers support something called Basic Authentication, a method of setting permissions for particular directories. You do not need network administrator privileges for the whole server to do this; if you can write to the directory, you can password-protect it. (If your site runs on Microsoft Internet Information Server on Windows NT you have a number of other password options. Check out Microsoft's site for more information.) 
           
                
                       
                
                
                
                
                
                
                
                
                
               
         

      Step one: 
      Say you want to create a directory called Secrets and allow in only those people with the username Bond and the password 007. 
      First, create a file to contain the username and password. Store this file on your server. (For security reasons, you should store it somewhere other than the root directory.) Most HTTP servers, including Apache and Netscape Enterprise Server, let you create this document with the htpasswd command. Type the following line from the Unix prompt: 

      htpasswd -c /directory/path/.htpasswd Bond 

      To use this code, replace /directory/path/ with the Unix path to the password-protected file's location on your own site. You will be prompted for the password for Bond; enter it twice. You can check that the .htpasswd file has been created at that location; it should contain something like:  
         Bond:y1ia3tjWkhCK2 
           


      Step two: 
      Next, create a file in the Secrets directory that sets the permissions. Call the file .htaccess and include the following text:  
         AuthUserFile /directory/path/.htpasswd 
            AuthGroupFile /dev/null 
            AuthName ByPassword 
            AuthType Basic 
            require user Bond
           
           


      Again, replace the /directory/path/ statement with your site's Unix path to the .htpasswd document. You can change the value for AuthName to whatever you want. 

      To make sure your password protection works, try accessing a file in the Secrets directory. You should be prompted for a name and password, and the Bond-007 combination should get you in. 

      You can also create multiple usernames and passwords, as well as groups. For more information on how to do this, or to troubleshoot the basic process described above, visit Apache Week or the NCSA site. 

      Warning! While Basic Authentication is easy to implement, it is definitely not industrial-strength security. Basic Authentication sends passwords over the Internet as plain text--UUencoded, but not encrypted. Anyone watching the packets on the network wouldn't be able to tell which one contained the password, but if they caught the right one it would be easy to decode. For this reason, we discourage large banks and defense contractors from relying on this security method. 
      ----- Original Message -----

      From:sgambhir@web.fairfax.com.au
      To: Ankit Fadia
      Cc: Mukul Gandhi ; Nicolas Lesbats ; www-html@w3.org
      Sent: Thursday, July 01, 1999 5:56 AM
      Subject: Re: avoid visitors viewing inside pages
       The one outlined below limits the user to one-depth access... ie.. you can go to index, then 
      to another page, but when when you go to the third, the referer is no longer index, although you 
      have come 'via' index so to speak! The use of cookies would probably be easiest... a cookie 
      that lasts a 'session' and is set in the index file.. other files can check if the cookie is set, 
      and if not, point them to index! 
      :-) 
        
       

-- 
Simran Gambhir
NBD, Fairfax
201 Sussex St. Darling Harbour, NSW, 2000.
Tel: +61 2 9282-2777  Fax: +61 2 9282-2256
    



bump.gif
(image/gif attachment: bump.gif)

ul.gif
(image/gif attachment: ul.gif)

Received on Friday, 2 July 1999 11:06:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:39 GMT