So You Want A Password Protected Page, Huh?
Application Security Testing: An Integral Part of DevOps
First things first...
- If you have Active Server Pages Ability, then see here for a great ASP Password system.
- After you read what is below, if you'd like to take a shot at it yourself, Christoph Huetten has
been nice enough to sent the entire set of instructions to setting up the password directory yourself. Click here to jump right to it.
- Those of you with Lotus Notes, Click here for another way to do password protected pages.
- There are also Java Script versions that protect one page at a time. See the Script Tips for the scripts.
Ever since I put up that I was
working on this tutorial, I have been bombarded with requests to
Hurry the #%@$ up!. Well, here it is and you may not be
happy with the answers I give you.
The answer is -- you can't do this with HTML commands alone. Password protection is done at the server level. You see, I was not waiting all this time in order to write a large tutorial, but rather for my webmaster to arrange a protected directory in my account.
Here's What HappensFirst, tell your webmaster, server person, or the guy who takes your checks each month that you want to do password protected pages. He will immediately ask what you have that is so darn important that you require these pages. You say, "none of your business" and ask again.
After a short time, a protected directory will be created for you. Not a page by page protection, but a directory. Basically the tech will set aside a whole section of the server hard drive as protected. Every page that you put into that directory will require a log-in and a password.
Some new files will be added to that directory. These are the three most common files:
- .htpassword This is a password file (duh).
It will contain one password for each login you denote to the server. It should be created initially with a password for you. Usually its "owner." If you start playing around with this file, never delete the initial password or you can't get in again to make changes.
- .htgroup This contains the logins you denote.
How you change or add logins or passwords will depend on how the tech sets up your server. I have to telnet into the server directly, enter some cryptic UNIX commands and answer a couple of questions to prove I am whom I am. Then I can enter logins and passwords to my heart's content.
- .auth This is a possible third file. Some servers allow you to enter passwords and logins right to an html document. This would be that document. It's very easy this way. A nice form page comes up and you just enter it all straight away. I didn't get this. You may not either.
When you enter a login and password, it works for everything you placed in that protected directory. What that means is that the server won't continue to ask again and again for passwords when a new page is entered.
Do All Servers Work This Way?My server tech informs me that any system can be configured a hundred ways, but no matter what the files are named, what I have described above will be what happens. At least two files, one passwords and one logins, will be added to your accounts and you will configure them to allow only certain people in.
Well, that's about it. You need to call your webmaster and ask for the protected directory to get things started. And I'll ask before he or she does...What exactly do you have that is so important that must be protected? I know. None of my business...
Christoph Huetten for this info.
Use it at your own risk. I take no responsibility for any of this. Here's Chris' letter and instructions:
Today I wanted to create password protected pages for the very first time. So I did what I always do when I want to do something new with my web pages (being an absolute amateur) - I checked your pages for a nice tutorial on it. First I was happy to find one but then I was a bit disappointed because I had to read that I cannot do it on my own. I just could not believe it. So I checked a few more pages, worked a bit on it and finally got through and made it. Here is how I made it (do please excuse my English - it is just not my mother tongue) I only did it for pages with only one username and password but to extend it to more should not be the problem. So here is the way to password protect your pages without the assistance of the administrator. You even have not to work in this strange UNIX-Environment.
The only thing you need is:
- a text editor
- an ftp-program to move the created files to your WWW-Server and to do some other stuff (I used CuteFTP - a very nice shareware program that is even understandable for an amateur like me. Therefore the following description will assume the use of this program. Get it here.)
- a browser because we have to link to a certain page for some help
- a pen and a piece of paper.
Furthermore you have to have the permission to create directories and change the properties of self-created files and directories on your Web-Server. If you have all that it is quite easy:
Think of a nice username and password that later on have to be typed in from everyone who wants to see your protected pages. Take the pen and the piece of paper and write these down. And don't forget: Wherever you use capital letters those who want to access your pages will have to use capital letters as well!!!
Use your ftp-Program to access your Web-Server. There you create a directory where you want to place the password protected files using the 'make new dir' command from the Commands menu (you can name it whatever you want). Then you create a second directory where you will later place the file with the password information (again use the 'make new dir' command). Now take the pen and the paper and write down the complete and exact path of the directory you created for the password information file(the ftp-program should display this if you open the directory).
Open your text editor and write the following lines:
require user zzz
After you have done this you replace the xxx with the path you have written down on your piece of paper. Furthermore you replace the yyy with one ore more nice words. These words are only there to make the procedure of accessing your protected pages a little bit nicer. Because if someone wants to access these pages he will first see a nice box that asks him for the username and password. The first sentence in the box will be: Enter username for yyy. Then you replace the zzz with the username you have written down on your piece of paper. Finally you save this file somewhere on you computer under the name htaccess.txt
Open your browser and go to the page http://www.euronet.nl/~arnow/htpasswd/ There you fill in the form with the data from your piece of paper and push the calculate button. A new page will appear on which you will find a line in large letters that starts off with the username you have written on your piece of paper and some strange letters afterwards. Take again your pen and write the whole (!!!) line down.
Open your editor again and type the line you have just written down on your piece of paper. Push Return to create an empty line below. Now save this file under the name htpasswd.txt.
Now open your ftp-program again and access your WWW-Server. First go to the directory where you want to place your protected pages and copy the file htaccess.txt from your computer to this directory. The name of the file should appear on the Remote side of the ftp-program. Mark this file and execute the 'Rename'command from the Commands menu to rename the file to .htaccess (don't forget the dot!!!) Now execute the 'change file attributes'-command from the Commands menu. A box appears where you type in 644 where it says 'manual'. Now you change to the directory where you want to place the password information. To there you copy the file htpasswd.txt. You then rename it to .htpasswd (again don't forget the dot!!!). Then you do what you already did to the htaccess file, i.e. you mark the file, execute the 'change file attributes'-command from the Commands menu and type in 644 where it says 'manual'. Now we are nearly done. The last thing you have to do is to close the directory where you are in, mark it and once again execute the 'change file attributes'-command from the Commands menu. But now you type in 711 where it says manual.
That should be it. Whatever pages you place in the directory you created for protected pages can only be watched in the browser if the username and password are typed in.
I hope it works as well for you as it did for me.
A Different Way
This is new to the page, if you have the correct software, please give this method a try and let me know what happens - Joe
Much thanks to David Sierra, Webmaster--Papa Johns International, Inc. Here is a copy of his email to me along with instructions...
I enjoyed reading your tutorials - they were very informative! I was reading your article [password pages] and wanted you give you some additional info.
There is a way of having Password Protected pages without going through your webmaster. But, this would only apply to Internet users that use Lotus Notes. Lotus provides a product called "Domino Web Server" that allows you to take any Lotus Notes database and publish it over the Internet. The originator of the database, not the webmaster, using assigned access levels gives the pages/database, password protection. What that means is, that you the originator of documents (HTML-coded, etc.), stored in a database, can give an anonymous web user "No Access" to that page(s)/database.
You give the users of your pages/database access by assigning the access level through the database, not the server. You assign the "Login (UserID)" and "Password" to an individual user or group and assign them access above "No Access" level.
In summary, the database originator can assign his own "Password Protection" without having to go to his webmaster, service tech, etc.
I hope this helps. Thanks again for the "goodies"!
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...