to homepage
 Weekly emails: how to advanced search
 Glossary lookup:


> how to > AppSwitching diary

Thursday, October 17, 2002

Creating password-protected directories

There are various ways to create password-protected directories on a hosted server, some of them more secure than others. Here are a few alternatives, ranging from a do-it-yourself solution that's suitable for low-cost shared-server hosting, and ending up with a fully prepackaged solution from Xara Online, which can be plugged into any website.

The do-it-yourself solution revolves around a file called .htaccess, which controls various aspects of configuration on a Unix web server. Entry-level shared-server hosting packages are either based on Unix or Windows. Personally I don't recommend opting for Windows as a shared-server platform, because it lacks support for open-source capabilities such as PHP and mySQL, which are becoming standard features of Linux and Unix hosting packages these days. So what I'm about to say (apart from the Xara bit at the end) won't help you much if you're on a Windows package. Sorry about that.

Not all hosting companies are comfortable with their users tampering with .htaccess files, so check first that your provider allows this (most good ones will do). To follow these instructions, you'll also need to know how to FTP files to your server.

Password protection is not the only thing that a .htaccess file does (it's pronounced dot-h-t-access, by the way). There's a useful rundown of all its capabilities here. In fact, your website almost certainly already has a .htaccess file set up by your hosting provider, which gets modified if you use some of the utilties that come with the hosting package — for example, to set up and manage custom error pages. It's best to leave this file alone, along with any .htpasswd files that have already been set up on the system, rather than altering something that could interfere with your existing or future setup.

Since you wouldn't normally want to password-protect your entire site, the first step is to create a new directory to be password-protected. Putting a .htaccess file into this directory will then allow you to control access not only to the directory itself and any pages and files in it, but also to any subdirectories that you create within it (unless you also give them .htaccess files of their own). Having created the directory, you then need to prepare two files — the .htaccess file itself, and a .htpasswd file containing user ID and password pairs.

The simplest arrangement is to put both of these files in the same directory, but unfortunately that's also the least secure, since it gives you only one level of protection (once someone has broken in, they can access your entire password file). A more secure arrangement is to put your .htpasswd file in a separate directory on your server that isn't part of the publicly accessible web page area. Find out the path for the directories above your htdocs or www directory (it is probably something like user/local/apache/), and use or create a subdirectory in this private area — your hosting provider will probably be able to recommend a suitable location. Whatever you do, be sure that you don't overwrite an existing .htpasswd file, because in all likelihood that's the one that controls your access to the server.

Once you've decided where to store your .htpasswd file, the next step is to create it. If you're able to access your server using telnet or SSH (the latter is the best method because it's more secure), then you can enter the usernames and passwords directly into the file, using the instructions shown here. Alternatively, you can create the file on your local machine and upload it using FTP.

The main drawback with this second method is that passwords have to be encrypted using a Unix utility, which by definition you're not going to find on your PC. The only easy way round this is to go to one of the many web pages that will do this in your browser for you — a Google search for ".htpasswd encryption tool" will produce a selection. But bear in mind that, while most of them are perfectly reputable, it's never a good idea to enter genuine ID and password pairs into a browser-based utility when you don't have a clue who owns it or runs it. As a precaution against someone stealing and using your ID and password pair, always enter a false ID (eg "anyone"). You will then end up with a result something like this: "anyone:LbWm6xez3X//I" and you simply have to replace the false ID with the correct one, leaving the colon and all the characters after it unchanged.

When creating .htpasswd and .htaccess files on your PC, you'll find that Windows doesn't let you create files that start with a dot. So you have to create it using a temporary name on your local machine, and then rename it to the correct name when you FTP it. Let's assume you've successfully done that and that your .htpasswd file is now safely loaded in (for example) the /usr/local/ directory of your web server. Now you're ready to create the .htaccess file for uploading to your password-protected directory.

The .htaccess file needs to have the following lines in it. Line one defines where you're storing the .htpasswd file. You won't need to change lines two and four. Line three is the name of the "realm" that users will see in the login dialog box. I've put "Name Your Realm Here" in italics because you can replace those words with any name or message you like:

  AuthUserFile /usr/local/.htpasswd
  AuthGroupFile /dev/null
  AuthName Name Your Realm Here
  AuthType Basic
  require valid-user
Line five is set to "require valid-user", which means it will give access to all the users in the .htpasswd file. You also have the option to specify each user individually — which you would do by writing, for example, "require user philwainewright", "require user anothername", "require user etc", with each statement on a new line. This is useful if you want to maintain a single .htpasswd file for the site, but give different access rights to individual users (eg to allocate each user their own private area, or to have an area that's reserved for administrators only).

That now completes your do-it-yourself password-protection. Test it out by uploading a file to the directory and then trying to access it using your browser. When you go to the URL, your browser will display a login dialog, asking for your user ID and password. Once you've entered that information, you will be logged into the site for the rest of that browser session (ie until you exit all your browser windows — so always make a point of properly closing your browser if someone else will be using the same machine after you).

This method gives a reasonable level of security provided you're careful about keeping your passwords secret and also avoid using easy-to-guess ones (it's best to use passwords that mix letters and numbers and which use both lower and upper case). But it's not secure against a determined hacker, mainly because the login dialog doesn't encrypt your ID and password for sending over the Internet from your browser to the server.

If you have especially sensitive information to protect (for example, anything relating to financial transactions), then you need to be using SSL. Most shared server hosting providers offer that as an option, and many of them offer the capability to share the use of their digital certificate. But if you're really serious about security, you need to purchase your own digital certificate, and then register it to your site when you upgrade to SSL hosting. Once that's in place, then you can add that higher level of security to the protection described above, simply by using the secure https:// prefix for your URLs instead of the standard http:// prefix.

On the other hand, if you're going to be as serious as that, you probably ought to think about using something more sophisticated than .htaccess as your access control, for instance using some of the capabilities of PHP. That's going beyond the scope of this posting, but additional sources can be found using Google, or your hosting provider may have recommendations.

As I mentioned at the outset, the other alternative is to use a prepackaged hosted solution from Xara Online (I should disclose here that Loosely Coupled is not only a user but also has an affiliate relationship with Xara). Xara has just launched a Membership Manager application that provides a secure content area where you can upload web pages and other files. It also allows members to update their own user IDs and passwords, and includes an email newsletter capability, and an event booking option as well. One thing you can't use it for is to share a private weblog, since you can't FTP files to the Xara servers, but if your main requirement is to share uploaded files and documents among a group or groups of users, then it comes into its own.

At $79.95 per month it's a significant step up from the cost of doing it yourself, but since it is so much easier to set up and manage, it's well worth looking at if you're considering managing larger groups (it handles up to 3000 members and you can upgrade to accept more if required). If that cost is outside your budget, take a look instead at the create-your-own option at $24.95, which provides all the same capabilities as the prepackaged Membership Manager, but which requires you to learn how to create and connect the building-block modules to create your own version.

The price difference between the two gives you an indication of exactly how much do-it-yourself effort you'll need to put in to recreate the prepackaged application. But if all you want to do is share a few files between a small number of users, the lower-cost option is worth investigating. You can easily upgrade at any time to the prepackaged application, which also includes the ability to add your own do-it-yourself functionality. Some of my previous postings have shown how I've used Xara Modules to add features to Loosely Coupled, and they give a flavor of the flexibility and ease-of-use of the modular system.

posted by Phil 12:49 PM (GMT) | comments | link

Building a website using plug-in online services: the Loosely Coupled experience

read an RSS feed from this weblog



Loosely Coupled weblog RSS source


Copyright © 2002-2006, Procullux Media Ltd. All Rights Reserved.