Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

.htacces and . htpasswd


bogdanucom

Recommended Posts

Hy,

I want to secure my admin page. My server(host) doesn't using a ssl connection. I try to create 2 files:

.htacces and . htpasswd from a tutorial. Here is the sintax:

 

 

 

.htacces:

 

AuthName "Autherized Users Only"

AuthType Basic

AuthUserFile /.htpasswd

Allow From All

<Files members.php>

require valid-user

</Files>

 

 

and .htpasswd

 

bogdan:bogdan

Andromeda16:71WOEOd6KuKbY

Jon:40Lowqe8.3Qmg

Chops:90SWUx9NepA0A

Payne:13HbL.AqKBsJo

 

How can i make t work in my shop admin because there is a file members.php which i havent in my admin folder.

 

Any ideas for my admin secure?

Thanks/

Link to comment
Share on other sites

Hy,

I want to secure my admin page. My server(host) doesn't using a ssl connection. I try to create 2 files:

.htacces and . htpasswd from a tutorial. Here is the sintax:

.htacces:

 

AuthName "Autherized Users Only"

AuthType Basic

AuthUserFile /.htpasswd

Allow From All

<Files members.php>

require valid-user

</Files>

and .htpasswd

 

bogdan:bogdan

Andromeda16:71WOEOd6KuKbY

Jon:40Lowqe8.3Qmg

Chops:90SWUx9NepA0A

Payne:13HbL.AqKBsJo

 

How can i make t work in my shop admin because there is a file members.php which i havent in my admin folder.

 

Any ideas for my admin secure?

Thanks/

 

Make sure you change the AuthUseFile to the exact location of the admin folder then ftp both files there.

Link to comment
Share on other sites

hi

 

i had the same problem which meant that anyone could go to my cite and then put admin after the url and mess everything up.

 

i simply logged into my server and changed the admin folder to admin_******.

 

The ***** represent something added to the admin folder name.

 

this way no one can actually log into your admin folder from the address bar and mess around with your site.

 

 

Long winded I know cos you gotta change it back to admin each time you want to change something but it does work.

Link to comment
Share on other sites

Yes the files are there and i change some. But everybody can open my admin page...:(

 

Any topics? any idea?

 

:(

The file is not in the correct location or it doesn't contain the correct information since anyone can still reach your admin. If you just place the .htaccess file in admin, then no one can enter. Since that is not happening, from what you said, the file can't be there or there is a problem with it.

 

 

hi

 

i had the same problem which meant that anyone could go to my cite and then put admin after the url and mess everything up.

 

i simply logged into my server and changed the admin folder to admin_******.

 

The ***** represent something added to the admin folder name.

 

this way no one can actually log into your admin folder from the address bar and mess around with your site.

Long winded I know cos you gotta change it back to admin each time you want to change something but it does work.

This is a bad way to do it. If someone figures out your admin name, which is possible, then you have no protection at all. But there is nothing wrong with changing the name like that. If oyu are having to change the name back to make changes, then you don't have something set up correctly. Many people run with admin renamed.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

.htacces:

 

AuthName "Autherized Users Only"

AuthType Basic

AuthUserFile /.htpasswd

Allow From All

<Files members.php>

require valid-user

</Files>

 

Here is what a format from a known working site looks like:

 

 # Restrict access to Admin Area 

order allow,deny
allow from all
require valid-user
Authname "Restricted"
Authtype Basic
AuthUserFile /full/path/to/your/.htpasswd

 

I am not sure where that members.php in yours is coming from, it looks kind of out of place in that code. Makes me think the code was copy/pasted from something else and that got caught up in it.

 

Also, note that the .htpasswd file needs to be outside of the web visible folders. For example, if the path to your web root looked something like this:

 

/var/www/hosting/your_domain.com/web/

 

then your .htpasswd files should be:

 

/var/www/hosting/your_domain.com/.htpasswd

 

and .htpasswd

 

bogdan:bogdan

Andromeda16:71WOEOd6KuKbY

Jon:40Lowqe8.3Qmg

Chops:90SWUx9NepA0A

Payne:13HbL.AqKBsJo

 

:o Be double sure you change your passwords, since you just published them here.

 

My server(host) doesn't using a ssl connection

 

You are starting an e-commerce site, you really need SSL. You either need to get your own cert (best) or switch to a host that does offer shared SSL. To gain a better understanding of SSL and why you need it read this thread:

 

The SSL In OsCommerce Guide For The Innocent, SSL basics and how to apply to osC

Rule #1: Without exception, backup your database and files before making any changes to your files or database.

Rule #2: Make sure there are no exceptions to Rule #1.

Link to comment
Share on other sites

I send a mail to the host , and there is no ssl connection. So :

 

1. can i use .htacces and ht.passwd for my admin page on an nonssl host?

 

2. any free host? :)

 

1. Yes. .htaccess/.htpasswd is not related to SSL. (I still suggest reading this thread - The SSL In OsCommerce Guide For The Innocent

 

2. For e-commerce, I wouldn't trust a free host. First, free hosting usually inserts their own advertising. Second, free hosts usually put too many sites on a server resulting in slow sites. Third, even if you are using PayPal or some other offsite payment processor, you still have customer's other confidential information.

 

If you are seriously interested in setting up an e-commerce site, not just doing this as a learning excercise, I recommend reading the following threads:

 

How to Make an Awesome osCommerce Site

 

Web Threats Keep Users Away

 

If you are just doing this as a learning exercise, then I would suggest installing EasyPHP on your PC and just setting the site up on your local computer (not for public access). That way it is free and you don't have to worry deal with SSL or even securing the admin.

Rule #1: Without exception, backup your database and files before making any changes to your files or database.

Rule #2: Make sure there are no exceptions to Rule #1.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...