Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

.htaccess Problem or Bug?


dailce

Recommended Posts

Posted

Hello,

 

My entire .htaccess file looks like this:

 

AuthType Basic
AuthName "Please Login"
AuthUserFile /home/html/admin/.htpasswd
<Limit GET POST>
require user joeblow
</Limit>
<files ".htaccess">
order allow,deny
deny from all
</files>

 

IF I type http://www.mywebsite.com/admin/ or https://www.mywebsite.com/admin/ THEN I can't get in and it works fine, and I get the error:

 

=========================================

 

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

 

 

--------------------------------------------------------------------------------

 

Apache/1.3.33 Server at www.kicktrading.ca Port 443

=========================================

 

 

HOWEVER

 

IF I type something like http://www.mywebsite.com/admin/index.php or https://www.mywebsite.com/admin/customers.php, THEN it does not work properly. The Login box will popup and if I press cancel I can still access the php page, the only thing not working in the php pages are the images, but you can still modify or change setting and viw information.

 

Is this a bug or do I need to add something to the .htaccess file?

Posted
AuthType Basic
AuthName "Please Login"
AuthUserFile /home/html/admin/.htpasswd
<Limit GET POST>
require user joeblow
</Limit>
<files ".htaccess">
order allow,deny
deny from all
</files>

 

Try something a little more simplified

 

AuthType Basic

AuthName "Please Login"

AuthUserFile /home/html/admin/.htpasswd

Require user joeblow

 

 

btw is /home/html/admin/ really your full path?

or is it something like

/home/dailce/admin/.htpasswd ?

 

BTW: for added security, place the password file one directory higher than your public web dir

 

Example

 

My web doc root would be

 

/home/henry/public_html

 

this is where my catalog index.php would be

 

/home/henry/public_html/admin

 

this is where my admin files would be including my .htaccess file

In this .htaccess file my password file would be set to

AuthUserFile /home/henry/passwords

 

NO one in the world can see anything higher than my public_html folder (in your case the html folder), so they'd never be able to access it - unless the hack into the actual server (in which case they don't need the password file anyway)

 

So in your .htaccess file in your admin folder would be something like this

 

AuthType Basic

AuthName "Please Login"

AuthUserFile /home/htpasswd

Require user joeblow

 

and then in your /home/ directory you would have your htpasswd file.

 

Also note that you do not need a . in front of the password file, some people do that in order to hide the file and other do it to relate it to the .htaccess file. - but if it is in a no webspace directory (like /home/ ) the . serves no purpose

My Contributions

 

Henry Smith

Posted

I would say that your AuthUserFile path is not correct. The path gotten from a script like path.php does not give the correct path for .htaccess and .htpasswd use, it does not go deep enough.

 

For example, using path.php I get /home/httpd/vhosts/mydomain.com/httpdocs

 

but the path needed in .htaccess is

/usr/local/psa/home/vhosts/mydomain.com/httpdocs/

 

Check this first, then see if it is securing correctly.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...