Everyone knows about the .htaccess / .htpasswd password protection for files or directories. I've looked on the internet without success for a way to edit the 'Design' of that coding. Right now, when you use that, you'll get prompted with the basic browser window to enter a username and password. Is there a way that username / password login form be integrated into a webpage with a design OR any way to design that prompt?
Unsure if I'm understandable at all... let me know if you require more clarification.
Thank you.
See comments below initial question.
Answer : No it is not possible, if we keep the basic .htaccess auth. It might be possible using HTTP requests but it won't be as secure.
Related
I'm working on providing a simple username/password gate for a client's website. I'm using a simple combo of htaccess and htpasswd files to accomplish this.
For right now, I'm only using dummy names and passwords, so, I feel comfortable posting those here.
Login 1: sean
PW 1: CreAgent
Login 2: sally
PW 2: pass
PWs were encrypted using this site (www.htaccesstools.com/htpasswd-generator/).
As you can see, it all works fine at this location.
Here is the code in the .htaccess file at that location:
AuthName "Employees Only"
AuthType Basic
AuthUserFile /home/content/n/i/n/nintemple1/html/login/.htpasswd
require valid-user
And here is the htpasswd file...
sean:[encrypted password - not sure if I should post this!]
sally:[encrypted password - not sure if I should post this!]
Now, that webspace above is my own. So, then I tried to set things up on the client's space. As you can see from that link, it just keeps treating the login as incorrect (offering new attempts) until you hit cancel and then it returns a 401 error. Everything is identical except that I changed the path to the new htpasswd file. So, the new htaccess file is like so...
AuthName "AIM Employees Only"
AuthType Basic
AuthUserFile /home/aimcilco/public_html/JAL/.htpasswd
require valid-user
I know it's possible that the client's space might be configured differently. But, the space where their files are hosted does not have a phone # to contact with questions and I posted on their forum weeks ago with no reply. So, I can't just ask the people who run the server. I do see other htaccess files in their space though, so, I imagine things are at least somewhat configured to handle htaccess.
I will admit that I am out of my depth here. I felt confident setting this up (since I got it working on my own space), but, I don't know enough about how these things work to properly trouble shoot this issue. =\
Thanks in advance and let me know if there is any more info you need from me to best solve this problem!
I used htaccess login / password to secure my site, when I want to enter the directory of my site I type login / password, it works perfectly, the problem that when I enter with a sub-domain, it asks me to enter again LOG/PASS.
i need to fix this issue, any idea
thanks in advance
That's because a different subdomain would be considered a different website, so you need to authenticate again.
I use a free shared php web server for my site. my site's url end was p.ht and for some issues it changed to w.pw
In order to make my site working properly again, by using Notepad++ I used "Find in Files" subwindow which is in ctrl+F popup window. I replaced each occurence of p.ht with w.pw.
My site then started to work properly again with no problem in terms of viewing.
however after this change, after a while I needed to logon my custom admin page (approve comments, articles etc)
I created it with .htaccess with main commands below:
AuthUserFile /home/u999999999/public_html/.htpasswd
AuthName "Log In"
AuthType Basic
Require valid-user
RewriteEngine On
RewriteBase /adminfolder/
just before URLs changed, everything was working on my site properly, I was able to login to my admin account from my firm computer. But know despite the same password and username I can't logon. I changed the password, uploaded new file but again I couldn't logon.
What can be the problem?
my firm firewall, security politics update etc?
A changed php server property in free shared web server?
A ctrl+Replace mistake somehow?
I also entered the password by keyboard and by copy-paste.
Can you please guide me for my situation. Where should I look, what new action can I try in order to detect my failure mode?
best regards
I created/edited a .htaccess file and I got my site password protected fine. Question though: Is there such thing as a URL key? Maybe I'm wording that incorrectly, but I would like to keep my site hidden, but be able to send out a specific URL that can view the site. What's the best way to accomplish this?
Thanks in advance.
If doing as Greg suggests and putting it in a folder isn't good enough for you, you could set the .htaccess to rewrite all url's to a php file (or whatever language you are using) and it checks some sort of database (or xml file or whatever format you want) for a key or parameter in the URL, and if its not there it can return a 404 in the header. That way unless they guess the url exactly it will return a 404 like there's nothing there.
And be sure to turn virtual directory listings off too.
Simply put your site in a directory that's using a "secret" name:
http://example.com/opensesame/
If you don't link to that, then it will be "hidden" unless you give out the URL.
Naturally, this doesn't protect against other people publishing your "secret" URL and linking to your site anyway.
I have a site that is password-protected using a .htaccess and .htpasswd file. I'd like for users to bypass the login prompt ONLY if they come from a certain domain. Can this be done by embedding the .htaccess credentials as parameters in the link somehow?
I do manage the domain I'd like to whitelist, so how can I pass GET parameters in the link that the .htaccess file will process?
You should rethink this as it is trivial to spoof the referring domain (or any information from the client).
You users can easily select to save their username / password if they wish to.
That would be highly insecure, the http referrer can be easily manipulated and your login bypassed.
If you own the other sites you can add some http header or GET var. If you don't, start thinking another solution for what you want to do.