Thread: Need Security Help Immediate

Aight folks I got a problem, and I am sure you will all know the correct way to get around it. I am loading a .htaccess and .htpasswd file to my site and this is how my .htaccess file looks:

AuthUserFile http://www.mydomainname.com/pwserver/.htpasswd
AuthGroupFile /dev/null
AuthName access
AuthType Basic

<Limit GET>
require user user name
</Limit>

Then, my password is encrypted using this site: Password Encryption

http://www.euronet.nl/~arnow/htpasswd/

So I am loading my password file in to the pwserver folder. However when I put a page in the folder with my .htaccess file and then try to surf to it I get the page with the prompt but no matter how many times I try with the username and password it won't let me access the page. What am I doing wrong.

.htpasswd

username:encryption key


Please Help Thanks

Your on the right track. Do this to your .htaccess

Code:

ErrorDocument 401 /rejectionpage.html
AuthUserFile /whatever/.htpasswd  //the name of this file is not important
AuthGroupFile /dev/null
AuthName "Access"
AuthType Basic
require valid-user

Now the important thing is to make sure that the .htpasswd file in not located on the web-server, where someone can download it.

The .htpasswd file should look something like this:

Code:

user1:encryptedpass
user2:encryptedpass
user3:encryptedpass

If you have access to the apache web server, you can create the encrytions using its utility.

usage:
htpasswd [-cmdps] passwordfile username

the only required switch is -c , to create the file.

example:

htpasswd -c /whatever/.htpasswd user1 pass1

that will create the file.


Hope this helps

Thanks for the help. I got it figured out.