Re: avoid visitors viewing inside pages from Ankit Fadia on 1999-07-01 (www-html@w3.org from July 1999)

From: Ankit Fadia <ankit@bol.net.in>
Date: Thu, 1 Jul 1999 13:46:01 +0530
To: <sgambhir@web.fairfax.com.au>
Cc: "Mukul Gandhi" <mgandhi@mtcindia.com>, "Nicolas Lesbats" <nlesbats@etu.utc.fr>, <www-html@w3.org>
Message-ID: <000101bec39f$ee5ad860$a2f15ecb@ankit>

Hi
How about this?
The way to enforce this kind of control is to require a password for certain parts of your site.
Most HTTP servers support something called Basic Authentication, a method of setting permissions for particular directories. You do not need network administrator privileges for the whole server to do this; if you can write to the directory, you can password-protect it. (If your site runs on Microsoft Internet Information Server on Windows NT you have a number of other password options. Check out Microsoft's site for more information.)

Step one:
Say you want to create a directory called Secrets and allow in only those people with the username Bond and the password 007.

First, create a file to contain the username and password. Store this file on your server. (For security reasons, you should store it somewhere other than the root directory.) Most HTTP servers, including Apache and Netscape Enterprise Server, let you create this document with the htpasswd command. Type the following line from the Unix prompt:

htpasswd -c /directory/path/.htpasswd Bond

To use this code, replace /directory/path/ with the Unix path to the password-protected file's location on your own site. You will be prompted for the password for Bond; enter it twice. You can check that the .htpasswd file has been created at that location; it should contain something like:

Bond:y1ia3tjWkhCK2

Step two:
Next, create a file in the Secrets directory that sets the permissions. Call the file .htaccess and include the following text:

AuthUserFile /directory/path/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

require user Bond

Again, replace the /directory/path/ statement with your site's Unix path to the .htpasswd document. You can change the value for AuthName to whatever you want.

To make sure your password protection works, try accessing a file in the Secrets directory. You should be prompted for a name and password, and the Bond-007 combination should get you in.

You can also create multiple usernames and passwords, as well as groups. For more information on how to do this, or to troubleshoot the basic process described above, visit Apache Week or the NCSA site.

Warning! While Basic Authentication is easy to implement, it is definitely not industrial-strength security. Basic Authentication sends passwords over the Internet as plain text--UUencoded, but not encrypted. Anyone watching the packets on the network wouldn't be able to tell which one contained the password, but if they caught the right one it would be easy to decode. For this reason, we discourage large banks and defense contractors from relying on this security method.

----- Original Message -----
From: sgambhir@web.fairfax.com.au
To: Ankit Fadia
Cc: Mukul Gandhi ; Nicolas Lesbats ; www-html@w3.org
Sent: Thursday, July 01, 1999 5:56 AM
Subject: Re: avoid visitors viewing inside pages

The one outlined below limits the user to one-depth access... ie.. you can go to index, then
to another page, but when when you go to the third, the referer is no longer index, although you
have come 'via' index so to speak! The use of cookies would probably be easiest... a cookie
that lasts a 'session' and is set in the index file.. other files can check if the cookie is set,
and if not, point them to index!
:-)

Attachments

image/gif attachment: bump.gif
image/gif attachment: ul.gif

Received on Thursday, 1 July 1999 04:50:44 UTC