Simple private webpages

I’ve got domain hosting through Dreamhost, and a website that I set up with Dreamweaver.

What’s the simplest way to set up some pages that are password-protected? (i.e. when somebody follows a link to them, they get a password prompt before they can proceed).

It doesn’t need to be the most uber-secure thing in the world, but something that’s at least not trivially bypassable would be good. Also, something where I could have multiple passwords, so I could let John Doe in with his user name and pw, or, if pw only, then the pw could be something like John_Doe_Somepassword, that I could disable later if I like

If you’re on a Apache server (you should be, IIS is utter shite) you use basic authentication, which involves having two files in the directory you’re trying to protect. .htaccess and .htpasswd (.htpasswd can actually be wherever)

.htaccess has something like:

AuthUserFile <FullPathToUserFile>
AuthGroupFile /dev/null

AuthName Members
AuthType Basic

and then .htpasswd contains

name:password(encrypted in some way, you can use the CLI htpasswd utility to do this, or PHP can do it.)

Hmm, I can’t get it to work right - it does prompt me when I go to the directory, but it doesn’t accept the user/pw I tried to set up.

Assuming that my site was www.somesite.com, and the directory I wanted to protect was ‘private’ (i.e. http://www.somesite.com/private), what exactly would go in the AuthUserFile? I tried

AuthUserFile http://www.somesite.com/private/.htpasswd
and
AuthUserFile /.htpasswd
(for the latter, I put the password in my root directory, above the site directory…)

But it won’t accept the username and pw in the given file…

Then that’s just a matter of encryption usually… what are you using to generate the password text?

Oh, and very likely your pw file is NOT in the root directory… it’ll be in

~/.htpasswd

The root directory is machine specific stuff and not usually touchable by users. But instead of using ~ which is for home dir, I’d use the whole path, something like:

/usr/home/philstein/.htpasswd

use pwd on the shell to find where you’re at.

I figured it out. For dreamhost, it was set up so that the root I wanted was

AuthUserFile /home/psteinx/.htpasswd

Now it’s working

Thanks,
Phil

Good choice on the host there, Phil.

Dreamhost rawks.

Gotta call BS on that, IIS is dandy. My company charges a filthy amount of money for Windows web hosting, and 99.99% of hacks come from weak passwords on administrator accounts.

H.

If you have trouble with .htaccess, you can do it with PHP. This should work on almost all hosts. The downside is you can only protect web pages with the extension .php. This really shouldn’t be a problem, as you won’t have to change anything in your HTML files except the extension, and add one line of PHP code to each page. It’s not as secure as .htaccess, but it’s good enough for anyone who hasn’t been issued a regulation foil hat.

It has one nice advantage, in that the login form is completely customisable and it says hello to people who log in, and lets them log out. .htaccess is ugly unless you plunge into the mod_rewrite maze. You don’t want to do that. Mod_rewrite is the computing equivalent of a psychedelic sequence from a 1960s sci-fi show where someone is driven mad by an evil genius flashing swirly lights in their eyes. And it’s impossible to logout of .htaccess without clearing your browser cache, IIRC.

Instead, just copy the following into a text editor and save it to your website’s root as access.php. The default username and password are jolly and roger


<?php
session_start();
$_Username = "jolly"; //Change this to whatever username you want.
$_Password = "roger"; // Change to whatever password you want.
if ($_POST['Submitted'] == "True") {
    if ($_POST['Username'] == $_Username && $_POST['Password'] == $_Password) {
        $_SESSION['Logged_In'] = "True";
        $_SESSION['Username'] = $_Username;
    }
}
if ($_SESSION['Logged_In'] != "True") {
         echo "<form method=\"post\" action=\"" . $_SERVER['PHP_SELF'] . "\">
        

Username:
 <input type=\"textbox\" name=\"Username\">

        

Password:
 <input type=\"textbox\" name=\"Password\">

        <input type=\"hidden\" name=\"Submitted\" value=\"True\">
        <input type=\"Submit\" value=\"Log In\" name=\"Submit\">
    </form>";
	die('');
    } 
else{
    echo "

You are logged in as: [b]" . $_SESSION['Username'] . "[/b] :: <a href=\"" . $_SERVER['PHP_SELF'] . "?mode=logout\">Logout</a>";
	}
if ($_GET['mode'] == "logout") {
    session_start();
    $_SESSION = array();
    session_destroy();
    echo "<META HTTP-EQUIV=\"refresh\" content=\"1; URL=" . $_SERVER['PHP_SELF'] . "\">";
	}
?> 

Then in each page you want protected, change the extension to .php (update any links to it, naturally) and plop the following line at the top:

<?php require ‘access.php’;?>

Voila. I have not tested it thoroughly, but it’s pretty boilerplate stuff. If it doesn’t work, tell me what goes wrong and I’ll fix it.

Basically, every time you open a protected page, it runs access.php. Access php checks to see if you’ve already logged in. If you haven’t, it prints a login form.

If you try it and like it, I’ll make the edits so that you can have lots of usernames and passwords. Also, if you want people to see a particular welcome message, tell me what you’d like it to be.

Gotta call BS on that, IIS is dandy. My company charges a filthy amount of money for Windows web hosting, and 99.99% of hacks come from weak passwords on administrator accounts.

H.[/quote]

Ya, you keep believing that IIS is dandy.

And, Phil knows better, but don’t try to use php code to secure a page. It’s crap. Fuck, these last two posts are like an acid trip back to 1996.

The best thing about Dreamweaver is that - I believe - it can get you through the night.

God forbid you might actually read the poster’s explicitly-stated lack of security requirements, and offer something that provides a more pleasant experience than a grey popup box! You even recommended PHP for encypting passwords :P

You’re right that it’s insecure, though, though it’s astronomically unlikely to get randomly hacked unless someone absolutely has to get into’ Phil’s site. And IIS is, indeed, not Dandy.

[quote=“Rob_Beschizza”]

God forbid you might actually read the poster’s explicitly-stated lack of security requirements, and offer something that provides a more pleasant experience than a grey popup box! You even recommended PHP for encypting passwords :P

You’re right that it’s insecure, though, though it’s astronomically unlikely to get randomly hacked unless someone absolutely has to get into’ Phil’s site. And IIS is, indeed, not Dandy.[/quote]

My point wasn’t that it was insecure, although it is… It’s that it’s crap… You can’t protect images or other content without jumping through some nice big hoops, and there’s lots of ways it can screw up. I wrote exactly that code (plus image protection and movie protection) for PHP and ASP back in the day before I knew better.

Phil didn’t seem to have any requirements for anything other than a simple login for his site. A script is just an alternative to .htaccess. Relax. This isn’t slashdot.

Bully for you! I love a good pissing match, but Jesus… “exactly that code?”

Phil, as a second alternative, I heartily recommend you make your password protection system from MDF. MDF.

No one’s upset here, and I haven’t read slashdot in years. He wanted a simple solution that works well, I gave it to him. PHP is the opposite of both of those.

Also, it looks like Dreamhost’s control panel has a web-based .htaccess manager as well, and some guides for using .htaccess with their hosting

https://panel.dreamhost.com/kbase/index.cgi?area=669

Those control panels are a cool thing if they work… I’ve seen some that were just awful and screwed up the machines that they ran on bad.

I love watching MCSE’s try to justify vendor lock-in. It’s so cute.

Once I figured out what the right path specification for, the .htaccess thing was pretty easy. Took me maybe 40 minutes of dinking with it all total to implement. The lame login box is ok for my purposes - I do have some files to protect in addition to the page, so .htaccess is good. Basically I just wanted to set up make the page for downloading my beta and seeing some other unreleased stuff private, and this worked for that. This isn’t a heavy duty thing that lots of people/customers will be seeing.

Thanks to all for the info.

Off-topic, sorry, but I saw Dreamhost mentioned. I’ve been babysitting a couple of sites I generously set up at DH for some friends who are being jerks. I had put some serious hours and money into this, and I’ll let them manage their own crap from this point forward but unfortunately, the DH transfer process sounds like a pain:

This is more work than my friends deserve, although they probably don’t quite deserve having me delete the sites. I don’t get why they can’t simply swap ownership, or something. Other than this, I agree that DH rocks.

Ack, Dreamhost has gone down completely, along with it a bunch of my sites. These are not slated for high availability, but I just realized I have no idea how to get in touch with DH outside of web/email/fax. Anyone deal with a DH outage before and have an emergency number?

Edit: It wasn’t their fault after all, apparently much of LA was offline today due to a power outage caused by an employee who cut the wrong cable. My sites were available a few hours after the outage but six hours later, their main site is still down and I still haven’t received any communication from them.