Comments on: Password-Protection

Question: Password-Protection

iconomy — Wed, 26 Jan 2005 07:36:16 -0800

Is there a script (perl or php, no MySQL because I don't understand it and don't want to learn it) that password-protects a webpage so that it can be viewed only by someone who logs in with a username and a password, and also logs that user, so that you can have a record (very important) of who's viewed the page? If so, where can I get me one?

By: Plutor

Plutor — Wed, 26 Jan 2005 07:40:24 -0800

Apache (the web server) can do it, no scripting or database needed, by utilizing the Auth* directives in a .htaccess file. Of course, your administrator will need to have Apache configured to allow you to do that, but it's a rather common setup. Also, read Apache's authentication tutorial.

By: agropyron

agropyron — Wed, 26 Jan 2005 07:47:34 -0800

Seriously, .htaccess is a very simple thing to set up. Though it's been long enough that I can't type out the steps from memory. It was much easier than scripting anything.

By: AlexReynolds

AlexReynolds — Wed, 26 Jan 2005 08:00:04 -0800

If you care about security, make sure you're running .htaccess's usual Basic authentication within a SSL-protected server profile. This kind of authentication traffic is sent along the web traffic in what is equivalent to cleartext. Here are OS X-specific instructions, but the commands described in this article apply equally to any generic LAMP setup.

By: cmonkey

cmonkey — Wed, 26 Jan 2005 08:02:02 -0800

Apache access logs include the authenticated username, too, so .htaccess and a log parser is all you'd need.

By: mkultra

mkultra — Wed, 26 Jan 2005 08:14:13 -0800

To add to the pile-on: If you were to do this in something like PHP, then your entire site needs to be in PHP. If you have complex security roles, then something like that might be called for, but for simple user:password security, .htaccess is simple and can sit on top of anything else.

By: orange clock

orange clock — Wed, 26 Jan 2005 08:19:14 -0800

man htpasswd, baby

By: iconomy

iconomy — Wed, 26 Jan 2005 08:35:28 -0800

Now this is the kind of pile-on that I like! Thanks, guys. You know that I have no idea what any of you are talking about, right? I have no idea what directives are, or what a LAMP setup is. I'll look into everyone's answers and give it a go, though - thanks so much.

By: purephase

purephase — Wed, 26 Jan 2005 08:37:34 -0800

LAMP.

By: revgeorge

revgeorge — Wed, 26 Jan 2005 08:58:24 -0800

There is a really good tool online for generating these. Unfortunately I can't find it, but I did find this one. You can add more users by running it again and adding the .htpasswd it creates to the one you already had, each user on their own line.

Also, take a look at this .htaccess generator.

By: danOstuporStar

danOstuporStar — Wed, 26 Jan 2005 10:09:34 -0800

Isn't "a record of who's viewed the page" kind of a primary requirement that's being ignored in this pile-on? Saying "a log parser is all you need" seems a little obscure.

If it is truly a single page, that you need to protect/record, look at opening a file and recording the $_SERVER['PHP_AUTH_USER'] value and a timestamp during each visit.

By: Plutor

Plutor — Wed, 26 Jan 2005 10:34:24 -0800

Isn't "a record of who's viewed the page" kind of a primary requirement that's being ignored in this pile-on? Saying "a log parser is all you need" seems a little obscure.

A log parser isn't necessary. The default Apache access_log format includes both %t (current time) and %u (authenticated username). Just looking through the text file would be an adequate "record", akin to what your php logging would do. In both cases, though, some automated parsing and whatnot would help make sense of the data, though.

(The Apache logs also include remote IP address, file accessed, and other useful stuff)